Mastering Terraform and

the OCI provider

#OracleCode AND @gregoryguillou
 ● Introduction
● Terraform fundamentals
● Terraform OCI provider
● Coding and good practices

Agenda ● Summary

Mastering Terraform with OCI

 ● Introduction
● Terraform fundamentals
● Terraform OCI provider
● Coding and good practices

Agenda ● Summary

Mastering Terraform with OCI

 Ops with an angle

@gregoryguillou
gregoryguillou

#OracleCode AND @gregoryguillou

● Time to Market
● Impact on all our teams
● Number of environments
● Mission critical “Ops”

● Self-service and Chatops

● Elasticity: Training, dev, test
● International deployment
● Ability to invest to add value
Why Ops also live for the code?
● We need monitoring, CI/CD, AB testing, DRP
● We need to move faster and faster
● People should not need us!
● Let’s stop building from the ground
● Focus on products and businesses, not infrastructure
● Ops are deadly alive!

#OracleCode AND @gregoryguillou

 ● Introduction
● Terraform fundamentals
● Terraform OCI provider
● Coding and good practices

Agenda ● Summary

Mastering Terraform with OCI

Terraform Key concepts - https://terraform.io

● Infrastructure as Code
● A go application
● HCL/JSON with an inference syntax
● Immutable Infrastructure
● State management
● Dozens of providers, including OCI
● GIT and Registry
● Open-source and enterprise versions
 ● Introduction
● Terraform fundamentals
● Terraform OCI provider
● Coding and good practices

Agenda ● Summary

Mastering Terraform with OCI

gregoryguillou/oci-workshop
Should I explain
OCI ?
Installing Terraform for OCI (master)
● Download the software from terraform.io
● Install terraform OCI provider
● Install the OCI Command Line Interface
● Create a RSA key and register it in your API Keys
● Defines your OCI CLI configuration
● Create a provider.tf file and set the associated variables
● Initialize the project with the `init` command
● Define resources and `apply` them
OCI Terraform resource overview
● Core: Images, Instances, Volumes, VCN, Security List,
Subnets...
● Database
● DNS: Records, Zones
● File Storage
● Identity: Keys, Groups, Policies, Users
● Load Balancer
● Object Storage Checkout the documentation
 ● Introduction
● Terraform fundamentals
● Terraform OCI provider
● Coding and good practices

Agenda ● Summary

Mastering Terraform with OCI

A few coding good practices
● Create a specific compartment (master)
● Manage your state on a bucket (02-demo)
● Variables, inferences and dependencies (03-demo)
● Modules (04-demo)
● Packer (05-demo)
● dynamicgroups and OCI_CLI_AUTH (06-demo)
● Use other providers (07-demo)
● An easy (and bad) way to manage secrets (08-demo)
Create a specific compartment (master)
● Use OCI CLI to create a compartment
oci iam compartment create \
--compartment-id="${TF_VAR_tenancy}" \
--name="DevTeam" \
--description="A compartiment to be used by developers" \
--wait-for-state=ACTIVE \
--max-wait-seconds=300 \
--wait-interval-seconds 5

● Add it to the .env file and with variables Checkout 01-install.md

Manage your state on a bucket (02-demo)
● Create a bucket
● Upload the current state as an object in that bucket
● Create a pre-authenticated request for that object
● Test you can access the file from the request
● Add a backend.tf file that reference the preauth request
● Re-initialize terraform with the backend
● Verify you can access the remote state
Checkout 02-remote-state.md
Variables, inferences and dependencies (03-demo)
● Add access to the `compartment` variable
● Create a variable with a default value
● Infer variable value from another variable with `lookup`
● Create a VCN, DCHP Options and an Internet Gateway
● Create multiple resource and inferences with `count`

Checkout 03-inferences.md
Modules (04-demo)
● Create a directory to move the resource for your module
● Remove the resource from your original stack
● Create variable and output to encapsulate your logic
module "livecode" {
tenancy = "${var.tenancy}"
compartment = "${var.compartment}"
source = "github.com/gregoryguillou/oci-workshop?ref=04-demo//modules/public-network"
}

● Use `terraform init` to reference the new module

Checkout 04-modules.md
Packer (05-demo)
● Installing Packer
● Finding the latest Oracle Linux Image
● Subnet and Compartment
● Building an OCI image with Packer
packer build -var "subnet=$SUBNET" \
-var "compartment=$TF_VAR_compartment" \
template.json

Checkout 05-packer.md
dynamicgroups and OCI_CLI_AUTH (06-demo)
● Deploy a dynamic group and its policy
● Access the remote instance from SSH
● Use the metadata API to figure out the compartment
● Use the OCI CLI without any credentials
export OCI_CLI_AUTH=instance_principal
oci os bucket list --compartment-id=$COMPARTMENT \
--query='data[].{bucket: name}' --output=table

Checkout 06-dynamicgroups.md
Use other providers (07-demo)
● There are a lot of useful providers, including random, null,
http, external, template or terraform_remote, for instance:
data "external" "version" {
program = ["${path.module}/version.sh"]
query = {
workspace = "${terraform.workspace}"
}
}
output "oci-workshop" {
value = "${lookup(data.external.version.result, "oci-workshop")}"
}

● You can use many more: kubernetes, consul, vault...

#OracleCode AND @gregoryguillou Checkout 07-other-providers.md
An easy and bad way to manage secrets (08-demo)
● Rely on Hashicorp Vault for a best configuration:
○ Automatic password rotation
○ Access token expiration
○ Emergency process
● An easy way to manage secrets is to store them in a
bucket:
○ Easy to push/pull new values
○ Dynamic Groups make it easy to get back from an instance

Checkout 08-secrets.md
Destroy your stack (08-demo)

● Destroy the stack as part of the last part:

oci os object delete \
--bucket-name=ftclnpb3wrytejru.resetlogs.com \
--name=/configuration/secret/secret.json \
--force

terraform destroy

Checkout 08-secrets.md
Random thoughts
● KISS and DRY
○ Use as few external tools as possible
○ Avoid provisioners and null_resource
● Add +1 to tag support for Terraform OCI provider #400
● Add +1 to support the container registry and OKE
● Don’t use terraform for Windows
● Rely on LetsEncrypt/DNS to generate SSL certificates
● Use Kubernetes (OKE) and a CI/CD for your application
● Implement Chatops and self-service
 ● Introduction
● Terraform fundamentals
● Terraform OCI provider
● Coding and good practices

Agenda ● Summary

Mastering Terraform with OCI

Summary

● Terraform is easy to use, quick to learn and popular

● OCI is a powerful and fast infrastructure
● The terraform-provider-oci leverage both OCI and TF
● The workshop explores many aspects: configuration,
compartment, state, inference, modules, templates,
dynamic groups, providers…
● Try the oci-workshop, provide feedback and open issues
● OCI gets more advanced tools like DCS, OKE
Another demo: terraform from slack...

gregoryguillou/terraform-api
gregoryguillou/hubot-terraform
Thank you !!!

We are hiring...