Code
source code ansible
source code helloworld
1 | npm config set registry http://registry.npmjs.org/ |
Creating the new cloudformation stack for production
1 | aws cloudformation create-stack --capabilities CAPABILITY_IAM --stack-name helloworld-production --template-body file://nodeserver-cf.template --parameters ParameterKey=KeyPair,ParameterValue=EffectiveDevOpsAWS |
Vagrant can be used for automatically provisioning VMs, and even whole development environments.
On ubuntu host:
1 | $ sudo apt install vagrant |
Components
Operations
Provisioning of vagrant
Creating a VM and provisioning it with Apache installed and prot forwarding
Add theses lines in Vagrantfile:
1 | config.vm.network "forwarded_port", guest: 80, host: 8080 |
Create provision.sh file with these entries:
Destroy and start the virtual machine:
1 | pipeline { |
Jenkinsfile
A Jenkinsfile is a file that contains Pipeline code.
A Jenkins Shared Library is an external source control repository containing your complex Groovy code. It acts like a function that could be used on-demand inside your Declarative Pipeline.
A Groovy Script (example.groovy)Inside Jenkins Shared Library Repository:
1 | def greet(message) { |
Jenkins Declarative Pipeline Utilizing the Shared Library:
1 | @Library('Example_shared_Library') _ |
Downloading the latest Jenkins Blue Ocean
docker pull jenkinsci/blueocean
To list the downloaded docker image: docker images
Docker containers generate and use data. When a container gets deleted, its relevant data also gets lost.
To make the data persistent, we use docker volumes.
1 | docker volume create jenkins_home |
1 | docker run -d --name jenkins -v jenkins_home:/var/jenkins_home jenkinsci/blueocean |
1 | docker pull nginx |
1 | docker run -d --name ngingx -p 80:80 --link jenkins nginx |
1 | docker exec -it ningx /bin/bash |
apt-get updateapt-get install vim1 | cp etc/ningx/conf.d/default.conf etc/nginx/conf.d/default.conf.backup |
1 | upstream jenkins { |
exitdocker restart nginx1 | docker exec -it jenkins /bin/bash -c \ "cat /var/jenkins_home/secrets/initialAdminPassword" |
Prerequisites
1 | docker pull nikhilpathania/jenkins_ssh_agent |
Creating credentials for the docker image in Jenkins
Add credentials inside Jenkins that allow it to interact with the docker image nikhilpathania/jenkins_ssh_agent
Installing the docker plugin
To spawn on-demand docker containers serving as Jenkins agents, need to install the docker plugin
Configuring the docker plugin
Manage Jenkins-> Configure System-> Cloud-> Add a new cloud-> Docker
Options to configure:
ENABLING DOCKER REMOTE API (CRITICAL)
The Docker remote API allows external applications to communicate with the Docker server using REST APIs . Jenkins (through the Docker Plugin) uses the docker remote API to communicate with a docker host.
To enable the Docker remote API on your Docker host, you’ll need to modify Docker’s configuration file. Depending on your OS version and the way you have installed Docker on your machine, you might need to choose the right configuration file to modify. Shown here are two methods that work on Ubuntu. Try them one by one.
Modifying the docker.conf File
Follow these steps to modify the docker.conf file :
1 | sudo nano /etc/init/docker.conf |
You’ll find “DOCKER_OPTS=” variable at multiple places inside the docker.conf file. Use the DOCKER_OPTS= that is available under the pre-start script or script section.
1 | DOCKER_OPTS='-H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock' |
The above setting binds the Docker server to the UNIX socket as well on TCP port 4243.
“0.0.0.0” makes Docker engine accept connections from anywhere. If you would like your Docker server to accept connections only from your Jenkins server, then replace “0.0.0.0” with your Jenkins Server IP.
1 | sudo service docker restart |
1 | curl -X GET http://<Docker Server IP>:4243/images/json |
Modifying the docker.service File
Follow these steps to modify the docker.service file :
1 | sudo nano /lib/systemd/system/docker.service |
1 | ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:4243 |
The above setting binds the docker server to the UNIX socket as well on TCP port 4243.
“0.0.0.0” makes the Docker engine accept connections from anywhere. If you would like your Docker server to accept connections only from your Jenkins server, then replace “0.0.0.0” with your Jenkins Server IP.
1 | sudo systemctl daemon-reload |
1 | sudo service docker restart |
1 | curl -X GET http://<Docker Server IP>:4243/images/json |
Add Docker Template button. Click on it to configure the docker image that Jenkins shoudl use to spawn container.
Assigning a global agent
The pipeline that you are going to create should have two stages, and each stage is supposed to run inside a docker
container. You’ll define the agents for each stage sparately in the stage’s settings.
Therefore, let’s keep the Pipeline’s global agent setting to none.
Creating a build & test stage
Type in the name Build & Test for your stage.
Adding steps
Let’s add some steps to our Build & Test stage.
Adding a shell script setp
Our source code is a Maven project, and we would like to build and test it using an mvn command, which eventually
gets executed inside a shell on the Jenkins agent.
Paste the below code which is a maven command to build, test, and create a package out of your source code.
1 | mvn -Dmaven.test,failure,ignore clean package |
Adding a stash step to pass artifact between stages
Add another step to stash the build package and the testing report generated by the maven command.
Look for the step Stash some files to be used later in the build
Add the name “build-test-artifacts” fro your stash using the Name* field, which is mandatory.
Add the following to the Included field: **/target/surefire-reports/TEST-.xml,target/.jar
With this configuration you are telling Jenkins to stash any .jar file (build package) from the target directory,
and the TEST-*.xml file(test report) from the **/target/surefire-reports/ directory on the build agent.
piple line code so far:
1 | pipeline { |
Assigning an agent for the build & test stage
You’ll assign a build agent for your Build & Test stage. The agent is going to be a docker container that will be spawn automatically by Jenkins. ONce the stage is complete, Jenkins will destroy the container.
With the following configuration, Jenkins looks for an agent with the label docker. Remember the section, wherein you configured the docker plugin in Jenkins. You specified the label docker while configure the Docker Agent
Template.
Creating a report & publish stage
Add another stage named Report & Publish that will publish the testing results on the Test page of the Pipeline and that will publish the build package on the Artifacts page of the pipeline.
Adding an un-stash step
Before we do anything in the Report & Publish stage. it is first crucial to un-stash the files that were stashed
in the previous stage. So let’s add step to un-stash a stash from the previous stage.
You’ll see a text field Name* where you should paste the name of your stash precisely as it was defined during its
creation.
Report testing results
The stash contains a JUnit test results .xml file that you’ll publish on the pipeline’s Test page. For this, we need
to add a step named Archive Junit-formatted test results
Use the TestResults* field to provide Jenkins with the path to your JUnit test result file. In our case, it is**/target/surefire-reports/TEST-*.xml
Upload artifacts to blue ocean
Add a step that will upload the build package to the Pipleine’s Artifacts page. From the un-stashed files, you also
have a .jar file that is the build package.
To upload it to the Pipeline Artifacts page, use the Archive the artifacts step.
Use the Artifacts* filed to provide Jenkins with the path to your build package file. In our case, it is target/*.jar.Also, tick the option OnlyIfSuccessful to upload the artifacts only if the Pipeline status is green or yellow.
Assigning an aget for the report & publish stage
you’ll assign a build agent for your Report & Publish stage. The agent is going to be a docker container that will be spawn automatically by Jenkins. Once the stage is complete, Jenkins will destroy the container.
You are new done with creating the pipeline. To save the changes, click on the Save button.
When you click on the Save button, Jenkins in the back end converts your UI configurations into a Jenkinsfile that follows the Declarative Pipeline Syntax.
Run an artifactory server
To spawn an Artifactory server with docker. Artifactory is a popular tool to manage and version control software build artifacts.
Installing the artifactory plugin for jenkins
Manage Jenkins-> Manage Plugins-> Artifactory
Configuring the artifactory plugin in jenkins
Creating a Publish to Artifactory Stage (Parallel Stage)
Add a stage in parallel to existing Report & Publish stage.
Your new stage first downloads the stash files from the previous stage, and then it publishes the built artifacts to
the Artifactory server.
Adding a scripted pipeline step
does two things
1 | unstash 'build-test-artifacts' |
1 |
|
Notice that the target path contains Jenkins Global variables, ${BRANCH_NAME} and ${BUILD_NUMBER}, representing the branch name and build number, respectively. Doing so uploads the built artifacts to a unique path on Artifactory every single time a pipeline runs.
Assigning an Agent for the Publish to Artifactory Stage
you’ll assign a build agent for your Publish to Artifactory stage. The agent is going to be the docker container that gets spawned automatically by Jenkins. Once the stage is complete, Jenkins destroys the container.
Final pipeline code:
1 | pipeline { |
Running a pipeline for a pull requrest
Jenkins Blue Ocean can detect pull requests on your Github repositories and run a pipeline with it for you. The
pipeline run result (fail/pass/canceled) gets reported back to your source code repository.
The person who is reponsible for accepting the pull request can then decide based on the pipeline run result whether
he should merge the new changes into the destination branch or not.
pull requests not showing
fix by: 
Tools for troubleshooting the network
1 | stan@stan-virtual-machine:~$ ifconfig |
1 | nc -l 8000 & |
What to expect from a backup tool?
Introducing rsync
1 | type rsync |
using rsync over the network
1 | rsync -azv simple-php-website/ pi@rpi-01:~/backup/ |
advanced ssh options with rsync
1 | ssh-keygen |
How to improve performance?
Possible causes of bottlenecks
Check your resources
Before addressing a performance degradation problem, you must first check your assets to have an estimate of the upper bound for system’s general performance level
The following files provide hardware information:
Another useful command for this purpose if dmidecode. This will print a lot of hardware information about the machine like the mothermoard type, BIOS version, installed memory amont many other information.
Using vmstat to measure CPU utilization
CPU load average and per-process
Memeory management
Using vmstat to measure memory utilization
1 | iostat -dx 5 5 |
A slow system quick diagnosis and remedy
If you find that the system is suddenly running slower than before and users start complaining, you can examine the resources discussed in this section for bottlenecks.
For example, running ps -auxww will show you the CPU utilization per process. If you find that a single process is using more than 50% of the CPU ofr a long time, this might be an indication of fault in the process itself. Also check the load average with uptime to determine whether or not the CPU is contended.
Check the paging activity with vmstat. If there are a lot of page-outs this means the physical memeory is overloaded. Additionalyy, if there is a lot of disk activity without paging this means the a process is extensively using the disk for read and write requests. If this is not the normal behavior (e.g. a database), the process activity should be further examined.
It is difficult to know exactly which process is using the disk I/O the most, but using kill -STOP to temporarily suspend the susceptiable process can narrow down the possibilities.
If a process is identified as resource intensive, a number of actions can be taken: if it is CPU intensive you can use the renice command to descrease its priority. You can also ask the user to run it later. I the process is hogging the disk and/or then network, renice will not solve the problem, but you can tune the process itself to optimize its behavior (for example web servers).
Using screen, you can start a session that’s tied to a single operation. Then you can connect or disconnect whenever you want, and come back to the session to check on its progress.
1 | screen |
1 | $ sudo update-alternatives --config editor |
Server is not reachable
ping -f 192.168.199.188
1 | ldd $(which login) |
Cannot connect to a website or an application
Troubleshoting Steps: ping server by hostname and IP
if NOT pinable= go back to Server is not reachable
if pingable = Connect to service
1 | telnet 192.168.1.5 80 (http) |
Verify the installation:
1 | rpm -q haproxy |
Show the log file which is last written to:
1 | cd /var/log |
Stan@Company root@toad.cwzhou.win || root@Kali
From Kalia connect to Toad
1 | root@Kalia:~# ssh -R 2222:localhost:22 root@toad.cwzhou.win |
Stan in Company machine:
1 | root@stan:~# ssh root@toad.cwzhou.win |
1 | # mount /dev/xvdc1 /data |
1 | find / -name pg_hba.conf|xargs cat |
1 | ## man system.jounal-fields |
ncdu -x / –exclude /mnt
cp /etc/systemd/{journald,journald-bk}.conf
Boot the Ubuntu Live CD.
Press Ctrl-Alt-F1
sudo mount /dev/sda1 /mnt
If you created a custom partition layout when installing Ubuntu you have to find your root partition using the fdisk utility. See the section Finding your root partition.
sudo chroot /mnt
1 | awk '$1~/Value/' sau2-db-06.txt |cut -d ":" -f 2|xsel -b |
| Signal | SigNr | Default Meaning |
| SIGALARM | 14 | Exit setting an allarm clock |
| SIGCHLD | 18 | Ignore child status changed |
| SIGFPF | 8 | Exit,core Arithmetic exception |
| SIGHUP | 1 | Exit Hangup |
| SIGINT | 2 | Exit Interrupt |
| SIGKILL | 9 | Exit Killed |
| SIGQUIT | 3 | Exit,core Quit |
| SIGSTOP | 23 | Stop Stopped (signal) |
| SIGTERM | 15 | Exit Terminated |
| SIGUSR1 | 16 | Exit User signal 1 |
| SIGUSR2 | 17 | Exit User signal 2 |
| | | |
1 | >>> type(1) |
a function is just the name and then input inside parentheses, and it’ll spit out output.
If you need to include the string delimiter inside the string just precede it with a backslash, as in ‘It's a wrap’
1 | >>> "Hello " + str(1) |
Boolean:
1 | >>> x = 1 |
1 | >>> names = ["Alice", "Amy"] |
ls -l myscript not.here > lsout 2> lserrls -l myscript not.here &> lsboth1 | ls -l myscript not.here > lsout 2>&1 |
1 | ls > /tmp/lsout |
ls|wcConnect a series of commands with | symbols to make a pipeline.
What is DevOps?
Why DevOps?
Standard Continuous delivery (CD) techniques
At any time, only one of the environments is live, with the live environment serving all production traffic. For this example, Blue is currently live and Green is idle.
As you prepare a new version of your software, deployment and the final stage of testing takes place in the environment that is not live: in this example, Green. Once you have deployed and fully tested the software in Green, you switch the router so all incoming requests now go to Green instead of Blue. Green is now live, and Blue is idle.
This technique can eliminate downtime due to app deployment. In addition, blue-green deployment reduces risk: if something unexpected happens with your new version on Green, you can immediately roll back to the last version by switching back to Blue.
Goals
lack of collaboration is one of the root causes of the issues
Manual tests that consume resources are better left to machines. This frees time that is better spent elsewhere, and provides a better environment by relinquishing mundane tasks
The processes being comprised in a logical order allows for optimizations to be made from recorded metrics.
This stems mostly from automation, and provides the foundation to ensure quality. It also provides a certain level of peace of mind, having confidence that the same process that successfully ran last time will run the same the next.
Automation combined with consistency in process, along with the tools and practices in place to perform the necessary testing and scans, removes the possibility of human error from subsequent processes
Agile methodologies proved effective for development, and sparked the idea to apply similar principles to other areas. Deployment frequency has always been a target for efficiency, as shown by the migration to waterfall, where deployments were seldom; to hybrid methodologies that produced releases four or five times per month; to agile, where deployments are dependent upon sprint links. With DevOps, there’s a potential to release multiple times per day.
DevOps Methodologies and Concepts
DevOps engineer’s role within a devops organization
philosophy
DevOps is not something you do. It is something you are.
Devops culture is the one based on a set of principles, hierarchy of rules, by which each person operates.
A DevOps culture is one that allows more freedom but more responsibility.
Devops lifecycle
Continuous integration
Configuration management
Continous delivery
Deploying to production
Canary releases
Continuous delivery deploys many builds to production. In a canary deployment, the new code is delivered only to a percentage of the existing infrastructure. For example, if the system is running on 10 load-balanced virtual servers, you can define a canary cluster of one or two servers. This way, if the deployment is not successful due to an escaped defect, it can be caught before the build is deployed to all of the servers. Canary releases are also used for pilot features to determine performance and acceptance prior to a full rollout.
Blue/green deployment
This is a zero-downtime deployment technique that involves a gradual release to ensure uninterrupted service. The blue/green approach is effective in virtualized environments, especially if IaaS is used. Although a blue/green deployment is a deep topic that deserves an entire chapter on its own, simply put, it includes maintaining two identical development environments—Blue and Green. One is a live environment for production traffic, whereas the other is used to deploy the new release. In our example, let’s say that Green is the current live production environment and Blue is the idle identical production environment. After the code is deployed and tested in the Blue environment, we can begin directing traffic of incoming requests from Green (current production) to Blue. You can do this gradually until the traffic redirect is 100 percent to the Blue environment. If unexpected issues occur during this gradual release, we can roll back. When it is completed, the Green environment becomes idle and the Blue environment is now the live production environment.
Continous monitoring
Continous monitoring is the practice that connects operations back to development,providing visibility and relevant data throughout the development lifecycle including production monitoring. continuous monitoring aims to reduce the time between identification of a problem and deployment of the fix.
Monitoring begins with Sprint 1 and should be integrated into the development work. As the system is built, monitoring solutions are also designed.
four different types of continuous monitoring
Visualize infrastructure events coming from all computing resources, storage and network, and measure the usage and health of infrastructure resources. AWS CloudWatch and CloudTrail are examples of infrastructure monitoring tools.
Target bottlenecks in the application’s framework. Appdynamics and New Relic are industry-leading APM tools.
Collect performance logs in a standardized way and use analytics to identify application and system problems. Splunk and ELK are two leading products in this area.
Reduce security and compliance risk through automation. Security configuration management, vulnerability management, and intelligence to detect attacks and breaches before they do serious damage are achieved through continuous monitoring. For example, Netflix’s Security Monkey is a tool that checks the security configuration of your cloud implementation on AWS.
three major setps
DevOps: culture, automation, measurement, and sharing (CAMS)
DevOps architecutres and practics
From the DevOps movement, a set of software architectural patterns and practices have become increasingly popular. The primary logic behind the development of these architectural patterns and practices is derived from the need for scalability, no-downtime deployments, and minimizing negative customer reactions to upgrades and releases. Some of these you may have heard of (microservices), while others may be a bit vague (blue-green deployments).
Codecommit is a source control service provided by aws(hosts private git repositories)
why choose CodeCommit
Creating a private code repo on CodeCommit
IAM-> HTTPS Git credentials for AWS CodeCommit
1 | git clone https://git-codecommit.ap-southeast-2.amazonaws.com/v1/repos/SampleRepo |
Migrating your project to CodeCommit
1 | ### - - mirror here means that we are not interested in cloning the application, however we are interested in downloading the Git binary files that make up the repository in the first place. |
1 | git init |
CodeCommit tutorials
Using IAM policies with CodeCommit
Using AWS CodeCommit Pull Requests
GitFlow development release model
Amazon linux 2 AMI
1 | sudo yum -y update |
What is Cloud9
What can i do with aws Cloud 9
\i /tmp/dellstore2.sql to create a new schema.HAPI is a rich application framework for building applications and RESTful APIs with Node.JS
Official website for HAPI framework is HAPIJS.com
install node and npm
1 | node -v |
1 | git clone https://github.com/espiderinc/hapi-rest-demo.git |
)
test
1 | hapi-rest-demo git:(master) ✗ npm test |
report generated workspace/hapi-rest-demo/coverage/lcov-report/index.html
Managin database schema for relational databaes (with Sqitch)
Sqitch is a standalone system without any dependency on frameworks or ORMs.
install sqitch
1 | docker pull sqitch/sqitch |
use sqitch
1 | mkdir stantutorial |
1 | { |
Ubuntu-> Configure Instance Details, IAM role, select CodeDeploy-EC2 (this will allow jenkins connect to s3 buckets)->
Tag instance: Key group Value hapi-demo
1 | wget -q -O - http://pkg.jenkins-ci.org/debian/jenkins-ci.org.key| sudo apt-key add - |
Install plugin AWS CodePipeline
Install node.js:
1 | curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash - |
Install sqitch
1 | sudo apt-get install build-essential cpanminus perl perl-doc |
Create a new instance hapi-demo install node.js and
1 | sudo apt install python3-pip |
Create a new Codedeploy application, choose compute type ec2/on-premises, Service role-> statutorialRole; Environment configuration tick Amazon EC2 instances, Key-> Name, Value-> hapi-demo; Deployment setting-> CodeDeployDefault.OneAtATime
appspec.yml file is an application specification file for aws codedeploy
1 | cat appspec.yml |
Create a freestyle jenkins job, configurat as following screenshots:
AWS SNS notifications for build and deployment status
1 | { |
Automatically and continuously deploy code without any downtime
Consistently and automatically deploy relational database schema changes
1 | sqitch add product-add-comments |
Splunk is a software platform that collects and stores all this machine data in one place.
Splunk components
The universal forwarder (UF) is a free small-footprint version of Splunk Enterprise that is installed on each application, web, or other type of server to collect data from specified log files and forward this data to Splunk for indexing(storage). In A large Splunk deployment, you may have hundreds or thousands of forwards that consume and forward data for indexing.
An indexer is the Splunk component that creates and manages indexes, which is where machine data is stored. Indexers perform two main functions: parsing and storing data, which has been received from forwarders or other data sources into indexes, and searching and returning the indexed data in response to search requests.
An indexing cluster is a group of indexers that have been configured to work together to handle higher volumes of both incmoing data to be indexed and search requests to be serviced, as well as providing redundancy by keeping duplicate copies of indexed data spread across the cluster members.
A search head is an instance of Splunk Enterprise that handles search management functions. This includes providing a web-based user interface called Splunk Web, from which users issue search requests in what is called Search Processing Language (SPL). Search reqeusts initiated by a user ( or a report or dashboard) are sent to one or more indexers to locate and return the requested data; the search head then formates the returned data for presentation to the user.
1 | index=_internal | stats count by source, sourcetype |
an example of executing a simple search in Splunk Web. The SPL specifies searching in the _internal index, which is where Splunk saves data about its internal operations, and provides a count of the number of events in each log for Today. The SPL command specified an index, and then pipes the returned results to the stats command to return a count of all the events by their source and `sourcetype
A deployment server is a Splunk Enterprise instance that acts as a centralized configuration manager ofr a number of Splunk components, but which in practice is used to manage UFs.
A deployer is a Splunk Enterprise instance that is ued to distribute Splunk apps and certain other configuration updates to search head cluster memebers.
A cluster master is a Splunk Enterprise instance that coordinates the activities of an indexing cluster.
A license master is a single Splunk Enterprise instance that provides a licensing service for the multiple instances of Splunk that have been deployed in a distributed environment.
A heavy forwarder is an instance of Splunk Enterprise that can receive data from other forwarders or data sources and parse, index, and/or send data to another Splunk instance for indexing.
Splunk Enterprise also has a monitoring tool function called the monitoring console, which lets you view detailed topology and performance information about your entire distributed deployment from one interface.
1 | wget https://releases.hashicorp.com/terraform/0.12.4/terraform_0.12.4_linux_amd64.zip |
main features of HCL
1 | mkdir s3_backbone && cd s3_backbone |
Provide: Terraform object that is responsible for managing the lifecycle of a resouce:
1 | cat providers.tf |
1 | cat s3.tf |
What is state?
for example, you went to the web console and manually changed something - Terraform will detect such changes, and unless they also exist in the desired state, it will revert them. So, if we are going to treat our infrastructure as code, we should get into the mindset of not changing our sources manually.
Make sure the state file is ignored by Git
1 | cat .gitignore |
Typical project structure
1 | |-main.tf |
group related resources together, and keep the configuration files to a manageable size - ideally, not longer than 200 lines of code.
Keep the code DRY- Don’t Repeat Yourself-SOFTWARE ENGINEERING PRICIPLE aimed at reducing interpretation of the same data
Terraform performs automatic conversion from string values to numeric and boolean values, based on context.
Maps are useful for selecting a value based on some other provided value.
A list value is an ordered sequence of strings, indexed by integers starting with 0.
Several ways to set variables:
1 | cat variables.tf |
1 | terraform plan -var 's3_bucket_name="packt-terraform-section2-bucket-stan"' |
1 | TF_VAR_s3_bucket_name="packt-terraform-section2-bucket-stan" terraform plan |
Variable definition files
1 | cat terraform.tfvars |
String Interpolation
"${var.s3_bucket_name}"First-Class Expressionsvar.s3_bucket_name
1 | cat s3.tf |
Using git to store state is a bad idea
State
Recommend using S3
Local Values
edit variables.tf file:
1 | locals { |
we can skip refreshing it again to save a couple of seconds, here. I will pass a flag, -refresh=false.
The state filei(terraform.tfstate) is also used to store some metadata, such as resource dependencies, or a pointer to the provider configuration in situations where multiple AWS providers are present. Another use is to store a cache of the attribute values for all the resources in the state. When we run terraform plan, Terraform must know the current state of resources, and by default it will query the providers and sync the latest attributes from all our resources. For large infrastructure, this can be too slow, and we may get throttled at the API level - so, as a performance improvement, there is an option to disable this behavior by passing refresh=false flag.
1 | terraform plan -refresh=false |
Common Workflow
1.
1 | terraform plan -destroy |
the 2nd one is more suted to CI/CD systems. You will most likely have some pipeline for provisioning your resources, but you may not necessarily have any automated way of destroying them, because this doesn’t happen that often. Another point is that, this way, you can destroy specific resources without having to pass special flags, which would require changes to automation scripts.
Protect a resoure from deletion
Use the life cycle meta-parameter.
1 | lifecycle { |
Only protects against terraform destory.
set up the remote state backend
This block is special, as it configures the behavior of Terraform itself, such as setting up a backend or requiring a minimum Terraform version to execute a configuration.
1 | terraform { |
if we have some configuration which we can’t migrate to the latest version, for some reason, we can pin it to an older version in this block. Let’s set the current version.
Manage terraform versions for each project by Terraform switcher
1 | # MacOS with brew |
1 | backend "s3" { |
1 | git add . |
1 | server_side_encryption_configuration { |
1 | versioning { |
1 | lifecycle_rule { |
Best Practices
What we will build?
Provider Caching
Count Meta-Parameter
Splat Expression
1 | resource "aws_nat_gateway" "main" { |
The challenge, here, is that the gateways need to reference the subnets and the IPS that we created, but because we used count, we don’t have a direct reference to each resource. We can resolve this by using a splat expression, which you can see in action where we reference the subnet ID and the allocation ID. A splat expression allows to obtain a list of attribute values from a set of resources created using the count argument. Notice this asterisk, which represents all values in the generated list.
Resources and data sources
1 | data "aws_ami" "amazon_linux" { |
Output Variables
Example Output
1 | output "vpc_id" { |
After we run the apply once, the outputs are stored in the state file - so, the next time we need to get them, we can use terraform output.
or
1 | terraform output public_subnets |
provider version
1 | terraform providers |
Steps to add a DB server
Integrate separate Terraform configurations while keeping them in different projects
Remote state serves as a centralized source of truth:
1 | cat data_sources.tf |
Remote state allows us to share information between current projects, and to build our infrastructures in small atomic configurations focused on one thing.
1 | db_subnet_group.tf |
Notice the interpolation syntax that we use.first, specify that it’s a data source - then its type, terraform remote state. Then comes the name of particular remote state, VPC, and lastly the attribute that we are interested in.
deploy a small but realistic web application into our VPC. Our app runs in Docker, so we will provision an LST container service cluster - ECS - to host it in our private subnets. We will use Fargate, which is a managed compute and orchestration engine, so we won’t need to maintain EC2 instances that run our containers.
Use Terraform templates to compose complex string inputs
App: a REST API for a todo applicaton, written in Go. It uses Postgres scale database as its backend.
1 | cat ecs_cluster.tf |
Partitioning Infrastructure
template eg.
1 | bastion.tf |
Next, I create template_cloudinit_config data source, and pull in the rendered template file. cloudinit_config allows us to compose multi-part user data scripts.
1 | data "template_cloudinit_config" "user_data" { |
If we run terraform apply with this configuration on Windows, it most likely wouldn’t work - the problem is that Windows use a different line break tag, which is not valid on Linux. Windows use both carriage return and line feed, while Linux only uses line feed. The easiest way to check the line break tag is to look at the bottom right corner of the editor. Anyway, long story short, we want to make sure that this script is valid, even if we deploy our configuration from a Windows machine. This is probably the only case where there is any difference between running Terraform on Linux and on Windows. There are two changes that you should make to resolve this.
1 | cat .gitattributes |
1 | cat .editorconfig |
1 | ~/terraform/ecs_app_todo| |
ecs_task.tf file: This is the Terraform configuration of our ECS task. I’m using the familiar template file data source, and I’m passing the required variables using the vars parameter, which accepts a map of variables. Some of the variables come from the tfvars file, but many are imported from the remote state.
data_sources.tf file: If we check out our data sources, we see that we’re pulling in remote state from all three projects that we created earlier.
lb.tf file: another important resource that we are creating is the load balancer, which distributes income and application traffic across multiple targets, for high availability. It will also allow us to connect to our service from the public internet, and here is the security group which allows public access
confirm it’s working
1 | curl -d '{"title":"sample project"}' -H "Content-Type: application/json" -X POST todoapp-alb-91218331.ap-southeast-2.elb.amazonaws.com/projects |
Dependency graph
Parallelism
Dependencies
1 | resource "aws_lb" "todo_app" { |
depends_on = ["aws_security_group.lb"]Use explicit dependencies to resolve race conditions
1 | # Have to set an explicit dependency here to avoid |
tools
1 | terraform graph|dot -Tpng > graph.png |
Delaring Modules
1 | module "child" { |
1 | cat main.tf |
terraform get
1 | terraform get -update |
1 | region = "${var.region}" |
terraform providers
1 | terraform providers |
best practices: Keep explicit provider configurations only in the root module, and pass them down to descendant modules.
Two wasy pass providers
1 | root@stan-OptiPlex-380:~stan/Doc/Terraform/ecs_app_todo|master⚡ |
Use module-relative path for embedded files (${path.module})
Encapsulation
we can choose to make the module as transparent as possible - and in this case, it would inject all dependencies from the root module, and keep no data sources in the child module
1 | terraform init |
1 | TF_LOG=trace terraform init |
Debug:
ecs_task.tpl pg environment vars are all missing
This class was written from a largely Unix based perspective, but everything can be made to work in Windows with very little effort.
export MY_VAR=testecho ${MY_VAR}$env:my_var = "test"Get-ChildItem Env:my_varProxies can interfere with some activities if they are not configured correctly.
1 | cd ${HOME} |
1 | cd terraform-infrastructure |
Hashicorp Configuration Language v2
HCL is a JSON-compatible configuration language written by Hashicorp to be machine and human friendly.
HCL is intended to provide a less-verbose JSON style configuration language that supports comments, while also providing humans with a language that is easier to approach than YAML.
main.tfaws and ns1 providers.
variables.tfdata.tfbin/local-ip.shkey-pairs.tfbackend.tffrontend.tfsecurity-groups.tfkey-pairs.tfbackend.tftodo backend service./files support the system provisioning.frontend.tftodo servicesecurity-groups.tftodo serviceoutputs.tf
terraform initterraform planterraform applyyesterraform output1 | $ terraform state list |
ssh -i $HOME/.ssh/oreilly_aws ubuntu@${todo_ip}sudo systemctl status todo-listexitcd ..1 | $ source ./bin/ip_vars.sh |
terraform-provider-todo archive for your platform.cd $HOME/Downloads1 | $ unzip terraform-provider-todo-*.zip |
cd $HOME/class-terraform-starting/todo-for-terraformmkdir -p tf-codecp -a terraform-tests tf-codecd ./tf-code/terraform-testsvariables.tfmain.tfhost = "127.0.0.1" to host = "todo-api.spkane.org"outputs.tf1 | curl -i http://todo-api.spkane.org:8080/ |
./terraform-provider-todoCancelSystem Preferences → Security & Privacy → GeneralAllow Anyway./terraform-provider-todoOpenterraform initterrraform applyyesterraform output
You may notice that your IDs are likely not in order. This is because, by default terraform creates many of the resources in parallel and we have many students using the server at the same time.
Examine the state from one of the resulting todos
state show todo.test1[0]1 | # todo.test1[0]: |
curl -i http://todo-api.spkane.org:8080/61 | HTTP/1.1 200 OK |
count = 5 lines to read count = 4(updated) to the end of the first description string.1 | resource "todo" "test1" { |
terraform state show todo.test1[0]terraform state show todo.test1[4]terrraform applyyesterraform state show todo.test1[0]terraform state show todo.test1[4]terraform state show todo.test1[3] will work however, since we only have 4 todos now.1 | $ curl -i http://todo-api.spkane.org:8080/ -X POST \ |
{"completed":false,"description":"Imported Todo","id":13}main.tf add:1 | resource "todo" "imported" { |
terraform plan1 | # todo.imported will be created |
terraform import todo.imported[0] 13terraform planmain.tf:resource "todo" "imported" { to read resource "todo" "primary" {terraform planterraform state mv todo.imported todo.primaryterraform plancd ..cp -a ../__modules .cd __modules/todo-test-datavariables.tfmain.tfoutputs.tfcd ../../code/main.tf1 | module "series-data" { |
outputs.tf1 | output "first_series_ids" { |
terraform initterraform applyyesterraform destroyyescd ../terraform-infrastructure/terraform destroyyesTerraform: Up & Running
Terraform Documentation
Please take a moment to fill out the class survey linked to in the chat channel.
O’Reilly and I value your comments about the class.
Thank you!
