[Terraform] Terraform Certified Associate

 

 

IaC that is Delcarative and Cloud Agnostic.

AWS - SysOps Administrator

GCP - Associate Cloud Engineer

Azure - Azure Administrator

 

1. Watch video lecture

2. Do hands-on labs

3. Do paid online practice exams

 

What is IaC?

automate creating, updating or destroying cloud infrastructure.

- avoid to misconfigure a service though human error

 

Populare infrastructure as Code tools (IaC)

 

Declarative

1. explicit

2. no mis-configuration

3. use scripting languages eg. json, yaml, xml

 

CloudFormation // Terraform

 

Infrastructure lifecycle

a number of clearly defined and dintinct work phases which are used by DevOps Engieners to 

plan, design, build, test, deliver, maintain and retire.

 

Day 0 - Plan and Design

Day 1 - Develop and iterate

Day 2 - Go live and maintain

 

Reliability - idempotent - no matter how many times you run IaC, you will always end up with the same state that is expected.

Mnageability

Sensibility

 

Non-Idempotent

Provision and launch 2 viertual machines. deploy again, end up with 2 new VMs with a total of 4 VMs.

 

Idempotent

provision and launch 2 virtual machines. Ends up modifying or deleting and creating new VMs.

 

Provisioning

When you launch a cloud service and configure it you are "provisioning"

 

Deployment

Delivering a version of your application to run a provisioned server.

 

Orchestration

act of coordinating multiple systems or services.

 

Configuration Drift

An unexpected configuration change.

- team members manually adjusting configs options

- malicious actors

E.g. A junior dev turns on Delete on Termination for the Production Database.

 

How to detect configs drift?

- A compliance tool that can detect misconfigs

- Built-in support for drift detection eg. AWS CloudFormation Drift Detection

- Storing the expected state eg. Terraform state files

 

How to correct configs drift?

- A compliance tool that can remediate misconfigs AWS config

- Terraform refresh and plan commands

- Manually correcting the configs

- Tearing down and setting up the infrastructure again.

 

How to prevent configuration drift?

- immutable infrastructure, always create and destroy, never reuse, Blue, Green deployment strategy.

- Servers are never modified after they are deployed

- Baking AMI images or containers via AWS Image Builder or etc.

 

Mutable

Develop - Deploy - Configure
A VM is deployed and then a Config Management tool like Ansible, Puppet, Chef etc.

 

Immutable 

Develop - Configure - Deploy

A VM is launched and provisioned, and then it is -...

 

GitOps - Introduce a formal process to review and accpet changes to infrastructure code,

 

Immutable Infrastructure Guarantee

- Cloud Resource Failure

- Application Failure

- Time to Deploy

- Worse case Scenario

No guarantee of 1-to-1

Golden Images

 

What is HashiCorp

Open-source tools used to support the development and deployment of large-scale service-oriented software installations

What is HashiCorp Cloud Platform (HCP)?

- Boundary

- Consul

- Nomad

- Packer

- Terraform

- Vagrant

- Vault

- Waypoint

- Terraform is an open-source and cloud-agnostic IaC tool. Terraform uses declarative configuration files.

HCL

Notable features of Terraform:

- Installable modules

- Plan and predict changes

- Dependency Graphing

 

What is Terraform Cloud?

SaaS offering. unified web potal

www.terraform.io/cloud  

HashiCorp Terraform - Provision & Manage any Infrastructure

 

Terraform Lifecycle

Code - init - plan - validate - apply - destroy or Code

 

Change Automation

What is Change Management?

What is Change Automation?

A way of automatically creating a consistent, systematic, and predictable way of managing change request via controls and policies

 

Excution Pland ans Resource graphs

ChangeSet - versioning repo. git... 

Execution Plans - Execution Plan is a manual review of what will add, change or destroy before you apply changes

Visualising Excution Plans - Visualise an execution plan as a graph using the terraform graph command Terraform will output a GraphViz file

terraform graph | dot -Tsvg > graph.svg

 

After executing a terraform plan, you notice that a resource has a tilde (~) next to it. What does this mean?

• the resource will be updated in place

  (Correct)
   

-/+ means that Terraform will destroy and recreate the resource, rather than updating in place

 

terraform import

Terraform import는 기존 인프라 리소스를 Terraform 구성 파일로 가져오는 데 사용되는 명령입니다. 이 명령을 사용하면 Terraform 구성 파일을 통해 관리하지 않은 (미리 생성된) 인프라 리소스를 Terraform으로 관리할 수 있게 됩니다.

일반적으로 Terraform은 인프라를 선언적으로 정의하고 코드로 관리하는 도구이지만, 때로는 이미 존재하는 리소스를 Terraform으로 가져와야 할 때가 있습니다. 이런 경우에 terraform import를 사용할 수 있습니다.

 

이 명령은 이미 존재하는 EC2 인스턴스를 aws_instance 리소스로 가져와서 Terraform 상태 파일에 매핑합니다. 이후에는 해당 리소스를 Terraform 구성 파일에서 정의하고 관리할 수 있습니다.

Import는 일종의 중간 단계이며, 가져온 리소스의 Terraform 상태를 관리하기 위해 추가 작업이 필요할 수 있습니다. 가져온 리소스를 지속적으로 Terraform으로 관리하려면 해당 리소스에 대한 Terraform 코드를 구성 파일에 추가해야 합니다.

 

When using modules to deploy infrastructure, how would you export a value from one module to import into another module? 모듈을 사용할 때, A모듈에서 value를 가지고 오고 싶다면 다른 모듈로 어떻게 해야 하는가?

For example, a module dynamically deploys an application instance or virtual machine, and you need the IP address in another module to configure a related DNS record in order to reach the newly deployed application

• configure an output value in the application module in order to use that value for the DNS module

  (Correc)

설정, 구성 output valuue를 application moudle에서, DNS moudle에서 사용할 수 있도록.

Which of the following allows Terraform users to apply policy as code to enforce standardized configurations for resources being deployed via infrastructure as code?

• sentinel

  (Correct)

• functions

• workspaces

  (Incorrect)

• module registry

   

  아래의 것 중에 어떤 것이 중요한가?
  테라폼 유저가 policy를 apply할 때, 정형화된 configurations - 배포되어지는 리소르를 위해서 

   

State File

- 테라폼을 대표하는

- Json 파일로 이루어져있는 데이터 및 리소스를 다루는

- Contains sensitive info

- can be stored locally or remotely

 

Local Backend

- Terraform state file이 local에 저장되어 있다. Simple to get started! but Sensitive values in plain text. Json 파일 안에 있다. Uncollaborative. Manual. 

 

Remote Backend

- Terraform state file을 remote에 저장. Terraform Cloud에 저장할 수 있다. 또는 Amazon S3에 저장할 수 도 있다. 

Sensitive data encrypted, Coolaboration possible, Automation possible, Increased complexity.

S3 Bucket used for Storage
DynamoDB used for locking

 

Remote Backend (AWS)

Bootstrapping - part 1

No Remote Backend Specified (defaults to local)

Versioned and encryted S3 Bucket

DynamoDB, Bootstrapping - part 1, local state file. Terraform.tfstate

Remote Backend (AWS)

 

 

terraform plan을 하게되면...

- Terraform Config (Desired State)를 Terraform State (Actual State)와 비교하게 된다. 네트워킹 configuration, 3DB가 있었지만 4DB를 생성하고 싶을 때 (Scaling up) +1 VM 이 plan이다. 그 plan이 fed into AWS Provider. 이후에 terraform apply command 하게되면, desired state와 actual state가 매칭되게 되는 것이다.

 

destroy command에서는 .... Actual State를 전부 지우게 된다.