Domain I:
Understand Infrastructure as code concepts.
Explain what IaC is:
- IaC allows you to write a configuration script to automate the (creating, updating, or destroying) cloud infrastructure.
- IaC is a blueprint of your infrastructure.
- It allows you to easily share, version, or inventory your cloud infrastructure.
- IaC allows you to write a configuration script to automate the (creating, updating, or destroying) cloud infrastructure.
IaC Concepts:
- Infrastructure Lifecycle:
- A number of clearly defined and distinct work phases which are used by DevOps Engineers to plan, design, build, test, deliver, maintain, and retire cloud infrastructure.
- Infrastructure Lifecycle Advantages:
- Reliability: IaC makes changes idempotent, consistent, repeatable, and predictable.
- Manageability: Ability to enable mutation via code, Revised with minimal changes.
- Sensibility: avoid financial and reputational losses to even loss of life when considering government and military dependencies on infrastructure.
- Provisioning vs Deployment vs Orchestration:
- Provisioning: To prepare a server with systems, data, and software, and make it ready for network operation.
→ Using configuration management tools like Puppet, Ansible, Chef, Bash scripts, and PowerShell.
When you launch a cloud service and configure it you are “provisioning”
- Deployment: Deployment is the act of delivering a version of your application to run a provisioned server. Deployment cloud be performed via AWS CodePipeline, Harness, Jenkins, Github Actions, CirecleCI
- Orchestration: the act of coordinating multiple systems or services. It is a common term when working with microservices, and containers. It could be k8s, Salt, Fabric
- Provisioning: To prepare a server with systems, data, and software, and make it ready for network operation.
- Configuration Drift:
- is when provisioned infrastructure has an unexpected configuration change due to:
- team members manually adjusting configuration options.
- malicious actors
- side effects from APIs, SDK or CLIs
→ Configuration drift going unnoticed could be loss or breach of cloud services and residing data or result in interruption of services or unexpected downtime.
⇒ Detecting configuration drift?
You can detect any configuration drift using:
- A compliance tool that can detect misconfiguration, (AWS Config, Azure Policies, GCP Security Health Analytics..)
- Built-in support for drift detection
- Storing the expected state e.g Terraform state files
⇒ How to correct configuration drift?
To correct any configuration drift you can use:
- A compliance tool that can remediate misconfiguration e.g AWS Config
- Terraform refresh and plan commands
- Manually correcting the configuration (not recommended)
- Tearing down and setting up the infrastructure again
⇒ How to prevent configuration drift?
- Immutable infrastructure always creates and destroys, never reuse. (B-G deployment strategy)
- Servers are never modified after they are deployed
- Baking AMI images or containers via AWS Image builder or HashiCorp Packer, or a build server e.g Cloud Run
- Using GitOps to version control our IaC and peer review every single via Pull Reqs
- is when provisioned infrastructure has an unexpected configuration change due to:
- Immutable Infra Guarantee:
- Cloud Resource Failure - What if an EC2 instance fails a status check?
- Application Faiule - What if your post-installation script fails due to a change in package,
- Time to deploy
- HashiCorp Products:
- Boundary: secure remote access systems based on trusted identity.
- Consul: Service discovery platform
- Nomad: scheduling and deployment of tasks across worker nodes in a cluster
- Packer: a tool for building VMIs for later deployment
- vagrant: building and maintenance of reproducible software development envs
- terraform: iac which enable provisioning and adapting virtual infra across all major cp
- vault: secrets management, identity-based access, encrypting data…
- Waypoint: a modern workflow to build, deploy and release across platforms
- Infrastructure Lifecycle:
Terraform Basics:
- Terraform Cloud:
- Terraform Cloud is a SaaS offering for:
- Remote state storage
- Version control integrations
- Flexible workflows
- collaborate on infrastructure changes in a single unified web portal.
- Terraform Cloud is a SaaS offering for:
- Terraform lifecycle:
- Code: Write or update your terraform config fil
- Init: initialize your project pull the latest providers and modules
- Plan: Speculate what will change or generate a saved execution plan
- Validate: Ensure types and values are valid, and the required attributes are present
- Apply: Execute the terraform plan provisioning the infrastructure
- Destroy: Destroy the remote infrastructure if you want.
- Change Automation:
- Change Management:
- A Standard approach to applying the change, and resolving conflicts brought about by the change in the context of IaC, change management is the procedure that will be followed when resources are modified and applied via configuration script.
- Change Automation:
- A way of automatically creating a consistent, systematic, and predictable way of managing change requests via controls and policies.
→ Change automation allows you to know what terraform will change and in what order.
- A way of automatically creating a consistent, systematic, and predictable way of managing change requests via controls and policies.
- Change Management:
⇒ Terraform uses change automation in the form of execution plans and resource graphs to apply and review complex ChangeSets (A collection of commits that represent changes made to the versioning repo, IaC uses Change ChangeSets so you can see what has changed by who overtime).
- Executions Plans:
- A manual review of what will add, change or destroy before you apply changes eg. terraform apply. resources and config settings will be listed, and it will indicate what will be added, changed or destroyed if this plan is approved.
- You can visualize an execution plan as a graph using the terraform graph command, then terraform will output GraphViz file.
- Resource Graph:
- Terraform builds a dependency graph from terraform configurations, and walks this graph to generate plans, refresh state and more.
- Use Cases:
- IaC for Exotic Providers: terraform supports a variety of providers outside of GCP, aws, azure etc..
- Multi-Tier Applications: Terraform by default makes it easy to divide large and complex applications into isolate configuration scripts.
- Disposable env: Easily stand up an environment for a software demo or a temporary development env
- Resources Schedulers: terraform can be used to dynamically schedule the docker containers, hadoop, spark and other software tools..
- Multi-Cloud Deployment: Terraform is a cloud-agnostic and allows a single config to be used to manage multiple providers, and even to handle cross-cloud dependencies.
- Terraform Core and Terraform Plugins:
- Terraform Core: uses remote procedure calls RPC to communicate with terraform plugins.
- Terraform Plugins: expose an implementation for a specific service, or provisioner.
- Input and variables:
- Variables can be separated in something.tfvars file.
- you can call the variable with var.something
- sensitive data can be added (bool value)
- you can specify the var during the “apply”
- types: string, number, bool, list, set, map, object, tuple
- example:
variable "user_credentials" { type = object ({ name = string address = string }) sensitive = true } resource "some_resource" "a" { name = var.user_credentials.name address = var.user_credentials.address }
- Output:
- return values from the config file.
- example:
output “instance_private_ip” { value = aws_instance.server.private_ip }
- Terraform Cloud:
Terraform Provisioners:
- Handle Terraform and provider installation and versioning
- Describe plugin-based architecture
- Demonstrate using multiple providers
- Describe how terraform finds and fetches providers
- Explain when to use and not user provisioners and when to use local-exec or remote-exec