April 17, 2020
7 min read
Tweet

The importance of infrastructure as code

Managing complex cloud infrastructure can become a real issue especially when we want to recover from a disaster, add more resources or enforce certainty that our changes do not break anything.

IAC to the rescue

Infrastucture as code is a declarative language the uses cloud provider API's for resource provisioning.

The way it works is by modelling our entire cloud infrastucture using code thus greatly reduce the stress of managing our resources and at the same time adding certainty that everything will work as expected when we need to make any changes.

Some popular tools for writing IAC are Terraform and CloudFormation. Personally I prefer Terraform since it is a cloud-agnostic solution.

To get started with Terraform go ahead and download it from the official website.

Export the binary's path in your .profile

export PATH="$PATH:~/path-to-binary"

Build Infrastructure

First you need to create a file with the .tf extension.

Inside the file add the following:

provider "aws" {
  region = 'eu-west-1'
}

This defines the provider your are about to use.

Note: It is recommended not to hardcode credentials into the *.tf cofiguration files.

Then run the following:

terraform init

By running terraform init Terraform downloads everything that is necessary to provision resources in your specified provider.

To format your configuration for easy readability run:

terraform fmt

To syntactically validate your configuration run:

terraform validate

Finally to apply the configuration changes run:

terraform apply

When you apply the configuration, Terraform will show you all the actions it'll take in order to change real infrastructure. You'll notice that Terraform uses a similar format to git diff to display additions and deletions in your resources.

Terraform also keeps track of every ID of the created resources into a .tfstate file. Make sure that you commit this file in your version control so that anyone in your team that uses Terraform can use it.

You could also write state data to a remote data store such as Terraform Cloud or AWS S3.

To use Terraform Cloud as the backend add the following in your .tf file (Make sure you have an account with Terraform):

terraform {
  backend "remote" {
    organization = "your-organization-name"

    workspaces {
      name = "your-workspace-name"
    }
  }
}

To inspect the current state using:

terraform show

Change Infrastructure

As your Terraform configuration changes over time, when you run apply it only modifies, creates or destroys what is necessary. By commiting your configuration in version control you can easily see how it is progressing over time.

Destroy Infrastructure

To destroy all resources that you've created by your configuration run:

terraform destroy

Resource Dependencies

You can specify if a resource depends on another resource before you create it by using the depends_on argument. For example you can specify that you want an EC2 instance to be created but only after the S3 bucket is created. All other resources that don't have any dependencies can be created in parallel.

resource "aws_instance" "ec2" {
  ami             = "ami"
  instance_type   = "instance-type"
  key_name        = "key-name"

  depends_on = [
    aws_s3_bucket.media,
    aws_s3_bucket.static,
    aws_security_group.ec2
  ]

Another way to define dependencies is with interpolation expressions. For example to create an aws elastic ip that depends on an instance you would write the following:

resource “aws_eip” “ip” {
    vpc = true
    instance = aws_instance.ec2.ip
}

Where ec2 is an instance you defined previously.

Provisioners

Terraform also gives you the ability to do post operations after your resources are created or destroyed. This is useful if you want to do some initial setup after an instance creation i.e. run scripts, install software etc.

To define a provisioner, add the following to a resource block:

Provisioner “local-exec” {
    command = “ls”
}

local-exec Executes commands on your local machine.

remote-exec To execute commands on a remote machine you must define an ssh connection in the connection block.

Failed Provisioner and Tainted Resources

If a resource has been created successfully but there was a problem with your provisioner, Terraform will give you an error and mark this resource as tainted.

Next time you apply your configuration, Terraform will remove the tainted resource, create it again and try to run the provisioning step.

Manually Tainting Resources

You also have the ability to mark a resource as tainted manually if you want to destroy and recreate it.

Input variables

If your configuration uses a lot of common variables then Terraform lets you create a variables.tf file where you can define all the variables that you need.

variable "region" {
  description = "The AWS region the services will use."
  default     = "eu-central-1"
}

Then to use the variables in your main configuration write the following:

provider "aws" {
  region = var.region
}

Output variables

Output variables is a way to access values like an instance's IP after a Terraform build.

Create an output.tf file and define all the values that you want to get outputted when you run apply.

Note: You can also add values to any of your .tf files.

output "instance_ip" {
  value = aws_instance.ec2.public_ip
}

Full configuration

Below you will see a full Terraform configuration that creates an IAM group with an attached policy, a security group with an open SSH port, an EC2 instance, a security group for an RDS instance, an RDS instance, an S3 bucket with subfolders and a CloudFront distribution.

terraform {
  backend "remote" {
    organization = "demo"

    workspaces {
      name = "demo"
    }
  }
}

locals {
  app            = "demo"
  s3_media       = "demo-media"
  database       = "demo-db"
}

provider "aws" {
  region = var.region
}

resource "aws_iam_group" "administrators" {
  name = "administrators-test"
}

resource "aws_iam_group_policy_attachment" "ap1" {
  group      = "administrators-test"
  policy_arn = "arn:aws:iam::aws:policy/IAMFullAccess"
  depends_on = [aws_iam_group.administrators]
}

resource "aws_security_group" "ec2" {
  name        = "ec2"
  description = "Default ${local.app} EC2 security group"
  vpc_id      = "vpc-0522b76d"
  tags = {
    Name = "ec2"
  }

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_security_group" "rds" {
  name        = "rds"
  description = "Default ${local.app} RDS security group"
  vpc_id      = "vpc-0522b76d"
  tags = {
    Name = "rds"
  }

  ingress {
    from_port   = 5432
    to_port     = 5432
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_s3_bucket" "media" {
  bucket = local.s3_media
}

resource "aws_s3_bucket_object" "media_folders" {
  for_each = toset(var.clients)
  bucket   = local.s3_media
  key      = "${each.value}/"

  depends_on = [aws_s3_bucket.media]
}

resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
  comment = local.s3_origin_id
}

resource "aws_cloudfront_distribution" "s3_distribution" {
  origin {
    domain_name = aws_s3_bucket.static.bucket_domain_name
    origin_id   = local.s3_origin_id

    custom_origin_config {
      http_port              = "80"
      https_port             = "443"
      origin_protocol_policy = "http-only"
      origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
    }
  }

  enabled         = true
  is_ipv6_enabled = true

  default_cache_behavior {
    allowed_methods  = ["GET", "HEAD"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = local.s3_origin_id

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "allow-all"
    min_ttl                = 0
    default_ttl            = 86400
    max_ttl                = 31536000
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }

  depends_on = [aws_s3_bucket.static]
}

resource "aws_db_instance" "production" {
  identifier                = local.database
  allocated_storage         = 100
  max_allocated_storage     = 1000
  storage_type              = "gp2"
  apply_immediately         = true
  deletion_protection       = false
  delete_automated_backups  = false
  final_snapshot_identifier = "${local.database}-final-snapshot"
  engine                    = "postgres"
  engine_version            = "10.11"
  instance_class            = "db.t3.small"
  port                      = "5432"
  username                  = "postgres"
  password                  = "test12345!"
  vpc_security_group_ids    = [aws_security_group.rds.id]
  tags = {
    Name = local.database
  }

  depends_on = [aws_security_group.rds]
}

resource "aws_instance" "ec2" {
  ami             = var.ami
  instance_type   = var.instance_type
  key_name        = "demo"
  security_groups = [aws_security_group.ec2.name]
  tags = {
    Name = "demo-test"
  }

  depends_on = [
    aws_s3_bucket.media,
    aws_security_group.ec2
  ]

  provisioner "local-exec" {
    command = "echo ${aws_instance.ec2.public_ip} > ip_address.txt"
  }
}

Newsletter

Get notified about new posts!

Image recognition with lambda and S3