3. Manual
� Easy to get started
� Not reproducible
� Error prone
� Time consuming
4. Scripted
� What happens if an API call fails?
� How do I make updates?
� How do I know a resource is ready?
� How do I roll back?
5. Resource Provisioning Engines
AWS CloudFormation
template
(JSON/YAML)
HashiCorp
Configuration Language
(HCL)
Desired state configuration
� Easy to automate
� Reproducible
� Configuration syntax
� No abstraction, lots of details
6. Challenges
• Automated deployment and rollback
• Cross account management
• Cooperative development
• Integration with existing testing frameworks
• Integration with key management system
• Integration with Kubernetes or Amazon EKS
11. Infrastructure as Code in 201X...
YA! I can write code to
manage cloud resource
resource "aws_s3_bucket" "b" {
bucket = "my_tf_test_bucket"
acl = "private"
tags { Name = "My bucket" }
}
12. Infrastructure as Code in 201X...
• Record your cloud resource with infrastructure as code
tool, not document
Document:
- Easy Out of Date
- Hard to Maintain
AWS
CloudFormation
13. Terraform Overview
Allow 1 person manage
the same resource
Store the managed
resource state
Create, Modify,
Destroy Resource
14. The Benefit After Adopt IaC
• Automate your deployment and recovery process
• Rollback with the same tested processes
• Don’t repair, redeploy
• Focus on mean time to recovery
• Use testing tools to verify your infrastructure
• Hook your tests into your monitoring system
15. Problems Emerged After a While...
• Permission control problem
• Don’t follow DRY
• How to well testing
• How to collaborate within a team
17. Why Multiple AWS Accounts ?
• Why there are dev, alpha, beta, staging, production
environment for the application?
• Application need to be well tested, but not impact the real
users
• Production infrastructure don’t allow access at will
• Infrastructure becomes code now, hence, it need to be
treated as the same way
19. Multiple Accounts Infrastructure
• IAM user can be central managed
• Permission separate as read,
write and robot roles in different
accounts
• The robot role is for Terraform
usage
20. Multiple Accounts Infrastructure
• The write role is for human
usage if necessary
• Production write and robot role
only can be permitted through
change management process
21. How to Manage Multiple Accounts
• About assume role, don’t
forget to enable MFA, and
setup expired time
• Recommend to use aws-
vault to manage multiple
roles in multiple accounts
[profile central]
output = json
region = us-east-1
mfa_serial =
arn:aws:iam::${CENTRAL_ACCOUNT_ID}:mfa/${IAM_USER}
[profile central_read]
role_arn =
arn:aws:iam::${CENTRAL_ACCOUNT_ID}:role/read
mfa_serial =
arn:aws:iam::${CENTRAL_ACCOUNT_ID}:mfa/${IAM_USER}
source_profile = central
24. What is Terratest?
• Terratest is a Go library that makes it easier to write
automated tests for your infrastructure code
• It provides a variety of helper functions and patterns for
common infrastructure testing tasks
25. How to Test IaC By Terratest
Setup
- Compose configuration
- Create resource
- Wait resource ready
Verification
- Leverage helper
function
- Write Golang
directly
Teardown
- Destroy resource
- Generate report
26. Rich Helper Function
• Testing Terraform code
• Testing Packer templates
• Testing Docker images
• Executing commands on servers over SSH
• Working with Cloud Provider APIs, e.g. AWS
• Working with Kubernetes APIs
• Testing Helm Charts
• Making HTTP requests
• Running shell commands
27. IaC Testing Tools Comparison
• XXX-Spec ←→ Terratest ←→ Pure programming language
• Learning curve is between XXX-Spec and Pure programming
language
• Not only check server properties, but also the service
functionality
• Testing scope include entire systems
28. Terraform Module Structure W/ Testing
tf-aws-iam
├── examples
│ ├── iam-roles
│ └── iam-users
├── modules
│ ├── roles
│ └── users
└── test
├── iam_roles_test.go
└── iam_users_test.go
• Modules: The Terraform to
create cloud resource
• Examples: Illustrate how to use
the module
• Test: Test the module by
executing examples
30. Vishwakarma
• Vishwakarma can be used to create a Kubernetes cluster in
AWS by leveraging HashiCorp Terraform and CoreOS
31. Terratest in Vishwakarma
• Create a EKS cluster with two worker groups (on-demand,
spot)
• Once the cluster is ready (node, core-dns), deploy Nginx
service
• Make a HTTP request to the Nginx service
• Destroy EKS cluster