深探-IaC-(Infrastructure as Code-基礎設施即程式碼-)-在-AWS-上的應用

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Deep Dive into IaC on AWS
Pahud Hsieh
Specialist SA, Serverless
Amazon Web Services
smalltown
Senior Site Reliability Engineer
Maicoin

Our infrastructure management journey

Manual
� Easy to get started
� Not reproducible
� Error prone
� Time consuming

Scripted
� What happens if an API call fails?
� How do I make updates?
� How do I know a resource is ready?
� How do I roll back?

Resource Provisioning Engines
AWS CloudFormation
template
(JSON/YAML)
HashiCorp
Configuration Language
(HCL)
Desired state configuration
� Easy to automate
� Reproducible
� Configuration syntax
� No abstraction, lots of details

Challenges
• Automated deployment and rollback
• Cross account management
• Cooperative development
• Integration with existing testing frameworks
• Integration with key management system
• Integration with Kubernetes or Amazon EKS

Introducing smalltown

Hello!
I am smalltown
MaiCoin Site Reliability Engineer
Taipei HashiCorp User Group Organizer
AWS User Group Taiwan Staff

Angeda
IaC Introduction
Multiple Accounts Infrastructure
Testing IaC
EKS Example

IaC Introduction

Infrastructure as Code in 201X...
YA! I can write code to
manage cloud resource
resource "aws_s3_bucket" "b" {
bucket = "my_tf_test_bucket"
acl = "private"
tags { Name = "My bucket" }
}

Infrastructure as Code in 201X...
• Record your cloud resource with infrastructure as code
tool, not document
Document:
- Easy Out of Date
- Hard to Maintain
AWS
CloudFormation

Terraform Overview
Allow 1 person manage
the same resource
Store the managed
resource state
Create, Modify,
Destroy Resource

The Benefit After Adopt IaC
• Automate your deployment and recovery process
• Rollback with the same tested processes
• Don’t repair, redeploy
• Focus on mean time to recovery
• Use testing tools to verify your infrastructure
• Hook your tests into your monitoring system

Problems Emerged After a While...
• Permission control problem
• Don’t follow DRY
• How to well testing
• How to collaborate within a team

Why Multiple AWS Accounts ?
• Why there are dev, alpha, beta, staging, production
environment for the application?
• Application need to be well tested, but not impact the real
users
• Production infrastructure don’t allow access at will
• Infrastructure becomes code now, hence, it need to be
treated as the same way

• IAM user can be central managed
• Permission separate as read,
write and robot roles in different
accounts
• The robot role is for Terraform
usage

• The write role is for human
usage if necessary
• Production write and robot role
only can be permitted through
change management process

How to Manage Multiple Accounts
• About assume role, don’t
forget to enable MFA, and
setup expired time
• Recommend to use aws-
vault to manage multiple
roles in multiple accounts
[profile central]
output = json
region = us-east-1
mfa_serial =
arn:aws:iam::${CENTRAL_ACCOUNT_ID}:mfa/${IAM_USER}
[profile central_read]
role_arn =
arn:aws:iam::${CENTRAL_ACCOUNT_ID}:role/read
mfa_serial =
arn:aws:iam::${CENTRAL_ACCOUNT_ID}:mfa/${IAM_USER}
source_profile = central

Testing IaC

What is Terratest?
• Terratest is a Go library that makes it easier to write
automated tests for your infrastructure code
• It provides a variety of helper functions and patterns for
common infrastructure testing tasks

How to Test IaC By Terratest
Setup
- Compose configuration
- Create resource
- Wait resource ready
Verification
- Leverage helper
function
- Write Golang
directly
Teardown
- Destroy resource
- Generate report

Rich Helper Function
• Testing Terraform code
• Testing Packer templates
• Testing Docker images
• Executing commands on servers over SSH
• Working with Cloud Provider APIs, e.g. AWS
• Working with Kubernetes APIs
• Testing Helm Charts
• Making HTTP requests
• Running shell commands

IaC Testing Tools Comparison
• XXX-Spec ←→ Terratest ←→ Pure programming language
• Learning curve is between XXX-Spec and Pure programming
language
• Not only check server properties, but also the service
functionality
• Testing scope include entire systems

Terraform Module Structure W/ Testing
tf-aws-iam
├── examples
│ ├── iam-roles
│ └── iam-users
├── modules
│ ├── roles
│ └── users
└── test
├── iam_roles_test.go
└── iam_users_test.go
• Modules: The Terraform to
create cloud resource
• Examples: Illustrate how to use
the module
• Test: Test the module by
executing examples

EKS Example - Vishwakarma

Vishwakarma
• Vishwakarma can be used to create a Kubernetes cluster in
AWS by leveraging HashiCorp Terraform and CoreOS

Terratest in Vishwakarma
• Create a EKS cluster with two worker groups (on-demand,
spot)
• Once the cluster is ready (node, core-dns), deploy Nginx
service
• Make a HTTP request to the Nginx service
• Destroy EKS cluster

深探-IaC-(Infrastructure as Code-基礎設施即程式碼-)-在-AWS-上的應用

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à 深探-IaC-(Infrastructure as Code-基礎設施即程式碼-)-在-AWS-上的應用

Similaire à 深探-IaC-(Infrastructure as Code-基礎設施即程式碼-)-在-AWS-上的應用 (20)

Plus de Amazon Web Services

Plus de Amazon Web Services (20)

深探-IaC-(Infrastructure as Code-基礎設施即程式碼-)-在-AWS-上的應用