Terraform GitOps

1000..1100 Terraform Gitops

  • how to do operations by pull request
  • code fresh + terraform
  • Erik Osterman, Cloud Posse http://cloudposse.com $250/hr
  • only do evops for companies, terraform company
  • Sweetops https://slack.sweetops.com

gitops

  • deploy to master and deploy

devops statusquo

  • manual rollouts
  • poor audit trains

terraform more problems

  • IaC
  • describe the state of the infrastructure
  • not easy to rollback, managing the transition of state
  • won’t work well with gitops because if the migration fails, master is not stable

Example

terraform plan
terraform apply

why deploy to production fails?

  • too many permutations to keep straight
    • helm, terraform, aws accounts, tools, customers, …
  • fix: not going to deploy from the developers laptop
  • Goal: make it easy for the team

Gitops

  • use git as a sytem of record for the desired state of configuration
  • operation by pull request for IaC
  • use ci/cid for devops

Gitops Objectives

  • repeatable, predictable, auditable, accessible

Solution -> codefresh

  • https://codefresh.io
  • automate anything
  • helm, terraform, terragrunt, gitlab, bitbucket, anisible,
  • stick everything you want to automate into containers
  • string containers together in a pipeline, run them

Basic Flow Diagram

  1. Open PUll Request
  2. Review “Auto Plan” => git hook to check it
  3. Seek Approval
  4. Deploy Changes
  5. Merge Pull Request

to get started

  1. sign up for codefresh
  2. add codefresh.yaml to each terraform

codefresh.yml sample

TFmask to filter the secret information from STDOUT

Livedemo

  1. add user
  2. open pr
  3. run plan
  4. seek approval
  5. apply
  6. merge
    • https://github.com/cloudposse
    • https://github.com/cloudposse/testing.cloudposse.co

out best practices

  • use geodesic as our cloud automation shell
  • use IAM STS for short lived AWS credentials
  • use github codeowners
  • use .tfvars for non-secrets
  • use SSM parameter store + KMS for secrets
  • use scenery for clean output
  • use tfmask to sanitize output
  • cpco.io/codefresh-gitops
  • github.com/cloudposse/tfmask
  • github.com/cloudposse/geodesic

slides and videos

  • https://youtu.be/AUOV0XMR_9Q
  • https://www.slideshare.net/Codefresh/terraform-gitops-on-codefresh
  • https://cloudposse.com/
COMMENTS
Related Post