Copyright © 2019, eProseed and/or its affiliates. All rights reserved. BEST PRACTICES WHEN USING TERRAFORM TO MANAGE ORACLE CLOUD INFRASTRUCTURE Simon Haslam eProseed
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
BEST PRACTICES WHEN USING TERRAFORM TO MANAGE ORACLE CLOUD INFRASTRUCTURE
Simon HaslameProseed
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
ABOUT ME
2
Simon Haslam
• Platform / Infrastructure Architect
• Focus includes HA, DR, security, automation
Relevant to this session
• WebLogic / FMW installations since 2000s
• First research/webcast on JCS in 2016
• Designed & built SOA CS integration platform for global use since Oct 2017
• On team migrating eProseed Lux data centres to OCI@simon_haslam
since2009
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
ABOUT EPROSEED?
3
Oracle ACEDirectors
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
DISCLAIMER
What is are “best practices” anyway…? ☺
4
Copyright © 2019, eProseed and/or its affiliates. All rights reserved. 5
➢ Why automate OCI provisioning?
➢ Real-world Terraform OCI examples
➢ Terraform ‘better practices’
➢ A few more tips ☺
AGENDA
Copyright © 2019, eProseed and/or its affiliates. All rights reserved. 6
➢ Why automate OCI provisioning?
➢ Real-world Terraform OCI examples
➢ Terraform ‘better practices’
➢ A few more tips ☺
AGENDA
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
WHY AUTOMATE OCI PROVISIONING?
7
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
PAAS PROVISIONING
8
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
PAAS PROVISIONING
9
Terraform provides an abstraction layer above OCI’s REST APIs
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
TERRAFORM’S PURPOSE
“Terraform is a tool for building, changing and versioninginfrastructure safely and efficiently”
10
Cloud-agnostic but not generic
(each cloud has own providers)
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
BOUNDARIES
12
resourcesPROVISIONINGThis provisions resources& optionally calls “provisioner”
e.g.network
VM instancePaaS instance
VM images might be Oracle supplied plain ones, Oracle-supplied
PaaS ones, or your own (e.g. from Packer),
Maintains state of infra
OptionalProvisioner
CONFIGURATIONMANAGEMENTThis configures
resources
e.g.TLS certificates & identity
CM self-registration
Maintains internal state of resources (instances)
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
TERRAFORM PROVIDERS
• A provider tells Terraform how to build and manage one or many resource types
• Providers are supplied by Hashicorp, a resource provider (like Oracle), or 3rd
party/community
13
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
MORE ABOUT TERRAFORM PROVIDERS
• Providers are either:
– Integrated: downloaded by Terraform when needed
– Non-integrated: install from 3rd party or write your own
• 3 Oracle-developed providers available:
14
oci oraclepaas
opc
More about these in a minute..These 3 Oracle providers are all now integrated into TF
X X
Copyright © 2019, eProseed and/or its affiliates. All rights reserved. 15
oci
oraclepaas
opc
almostlegacy
legacy
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
OCI PROVIDER
Infrastructure & OCI-native PaaS
https://www.terraform.io/docs/providers/oci/index.html
16
Lots of resources- examples:
Copyright © 2019, eProseed and/or its affiliates. All rights reserved. 17
➢ Why automate OCI provisioning?
➢ Real-world Terraform OCI examples
➢ Terraform ‘better practices’
➢ A few more tips ☺
AGENDA
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
GETTING STARTED
• You need a host to run Terraform from
– could be your PC, a cloud instance, or build server
• Oracle Linux 7 example:
sudo yum install -y terraform
• Create/reuse .tf config files & set up .tfvars for your account/env
• The .tf files need to have one or more providers specified
18
terraform init
terraform plan
terraform apply
…terraform destroy
Copyright © 2019, eProseed and/or its affiliates. All rights reserved. 19
DEMO
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
BIG PICTURE EXAMPLE
20
DRG
Dynamic Routing Gateway
On-prem
Another VCN
Another cloud
admin
Copyright © 2019, eProseed and/or its affiliates. All rights reserved. 21
➢ Why automate OCI provisioning?
➢ Real-world Terraform OCI examples
➢ Terraform ‘better practices’
➢ A few more tips ☺
AGENDA
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
1. IT’S NEVER TOO EARLY TO START TERRAFORM
• Using the OCI consoles can be time consuming
• Cumulative effect
• You want to experiment as much as possible
• Exception:Compartment creation: slow, leaves trail don’t (re)create compartments often
22
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
2. USE SOURCE CODE CONTROL
• Infrastructure as Code… naturally you want to version it
– You probably can’t go back far but you can see who changed what & when
• Use git
– De-facto SCM these days
• Don’t use branches
– Or if you do, have branches for different environments (e.g. Puppet model)
23
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
3. STORE YOUR .TFSTATE CENTRALLY
• OCI Object storage (simple), or,
• terraform.io service (more advanced)
24
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
4. USE TERRAFORM 0.12
• Language updates from 0.11 to 0.12
• There’s an auto upgrade from 0.11 to 0.12 but I found a couple of things broke
https://www.terraform.io/upgrade-guides/0-12.html
25
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
5. STRUCTURE MULTIPLE TF CONFIGURATIONS
• You only want one person at a time making changes in same area
• Probably best to have TF by top-level compartment plus one global
• Depends on organisation structure
26
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
6. DON’T USE -AUTO-APPROVE
• This is my opinion of a best practice ☺
• -auto-approve means an apply makes changes without prompting
• You get into habit of up-up-return… errors can easily happen
(once, twice,…)
• Exception: use -auto-approve on CI server ☺
27
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
7. DECIDE WHEN TO USE TF & WHEN NOT
• Terraform:
– Its strength is converged state – use it often but for few changes
– State convergence sophistication is up to the provider developer• Update OCI Instance hostname - good
• Update OCI Database Service PDB name – not so good
– Use for static deployments – compartments, networks, load balancers etc
• Ansible
– Can manage state but often run in fire & forget mode
– Fire & forget is more aligned to traditional change processes
– You need a tool to customise most PaaS instances anyway
– Use for most types of instances
28
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
8. UPDATE YOUR OCI PROVIDER REGULARLY
• Terraform Provider for OCI changes in 2 ways:
– New features & bug fixes
– Changes to OCI REST APIs
• You may be forced to update it in a hurry otherwise
29
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
9. USE A MODERN EDITOR + TF PLUG-IN
Extension available for Microsoft VS Code editor
30
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
10. SUBSCRIBE TO TERRAFORM-PROVIDER-OCI ISSUES
31
Copyright © 2019, eProseed and/or its affiliates. All rights reserved. 32
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
TERRAFORM FOR OCI – BETTER PRACTICES
1. Start with Terraform early, really early, on your OCI journey
2. Use Git, but one branch (or one per env for separate TF state)
3. Store your .tfstate centrally (e.g. in OCI object storage bucket)
4. Use Terraform 0.12, especially if starting from scratch
5. Structure multiple TF configurations, probably by compartment
6. Don’t use -auto-approve (except from CI server)
7. Decide when to use TF & when not
8. Update your OCI provider regularly (you may be forced to in a hurry otherwise)
9. Use a modern editor (like VS Code) + TF plug-in
10. Subscribe to terraform-provider-oci issues33
Copyright © 2019, eProseed and/or its affiliates. All rights reserved. 34
➢ Why automate OCI provisioning?
➢ Real-world Terraform OCI examples
➢ Terraform ‘better practices’
➢ A few more tips ☺
AGENDA
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
A FEW MORE TIPS
• Watch your costs! This is cloud after all…
• Environment variables
• TF modules are very handy for scaling number of instances
35
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
ENVIRONMENT VARIABLES FOR DIFFERENT TENANCIES
36
From OCI provider doc:
https://www.terraform.io/docs/providers/oci/index.html
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
TERRAFORM MODULES
Our example use case
• Lots of identical compute instances needed for on-prem provisioning automation
• 3 different types of modules:
– Fusion Middleware
– Database
– Provisioning Server
• All VMs identical for module type – pick how many you want
• But YMMV - there may be a better way than this for you ☺
37
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
TERRAFORM FOR OCI – BETTER PRACTICES
1. Start with Terraform early, really early, on your OCI journey
2. Use Git, but one branch (or one per env for separate TF state)
3. Store your .tfstate centrally (e.g. in OCI object storage bucket)
4. Use Terraform 0.12, especially if starting from scratch
5. Structure multiple TF configurations, probably by compartment
6. Don’t use -auto-approve (except from CI server)
7. Decide when to use TF & when not
8. Update your OCI provider regularly (you may be forced to in a hurry otherwise)
9. Use a modern editor (like VS Code) + TF plug-in
10. Subscribe to terraform-provider-oci issues38
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
ORACLE EXAMPLES
• https://github.com/oracle/terraform-examplesStarting point for some cases – reasonable activity (91 commits)
• https://oracle.rainfocus.com/widget/oracle/oow18/catalogoow18?search=HOL6376
39
Start here!Probably takes
1-3h
Copyright © 2019, eProseed and/or its affiliates. All rights reserved.
HANDS-ON-LAB TIP
Trial account does not have sufficient compute resources to run the HOL:
=> Raise an SR to get this increased, e.g. to 10 for 2.1 shape (change shape in .tf config):
40Paid for accounts have default limit of 40 per AD for small VMs
https://docs.cloud.oracle.com/iaas/Content/General/Concepts/servicelimits.htm
Copyright © 2019, eProseed and/or its affiliates. All rights reserved. 41
@simon_haslam
Q &
A
Mobile Process / Integration
Analytics / Big Data
Database / Data
Management
Identity & Access
Management
Oracle Cloud
eProseed Confidential42