kixs vol.8

## Infrastructure as code using terraform `kixs vol.8` 清家史郎(@seike460)

###### Who? Fusic Co., Ltd.  清家史郎  @seike460    

### tech - Program Language - PHP - Go - Elixir - infrastructure - Server - infrastructure as code - Network - Serverless(AWS)

### products ##### Go - s3ry (s3 prompt cli) - https://github.com/seike460/s3ry - utakata (Serverless Slack Notificatier) - https://github.com/seike460/utakata

### Organizer - Serverless Meetup Fukuoka

### Agenda - why Infrastructure as code? <!-- .element: class="fragment" --> - terraform? <!-- .element: class="fragment" --> - awspec? <!-- .element: class="fragment" --> - summary <!-- .element: class="fragment" -->

### why Infrastructure as code? - コードが設計書となる <!-- .element: class="fragment" --> - インフラをバージョン管理出来る <!-- .element: class="fragment" --> - インフラをCI出来る <!-- .element: class="fragment" -->

### 何を使うか？ 今回はAWS resource の管理 - terraform <!-- .element: class="fragment" --> - HashiCorp製 Infrastructure as code なツール <!-- .element: class="fragment" --> - awspec <!-- .element: class="fragment" --> - AWSのリソース構成をServerspecのようにテスト出来るツール <!-- .element: class="fragment" -->

### terraform? https://www.terraform.io/ - HashiCorp製(Vagrant等) <!-- .element: class="fragment" --> - 各種クラウドベンダーのリソース構成管理ツール <!-- .element: class="fragment" -->

### インストール - Mac ``` brew install terraform ``` - その他 ダウンロードして配置 https://www.terraform.io/downloads.html

#### 管理ファイル設定 tfstateと呼ばれる インフラの状態を管理しているファイルを作成 Gitなどでは無くて、S3等で共有されるのが一般的 ``` provider "aws" { # providerの指定、今回はAWS region = "ap-northeast-1" # region指定 } terraform { backend "s3" { # terraform用管理ファイルを S3に保存 bucket = "tfstate.seike460" # terraform用管理ファイルを保存するBucket key = "seike460.terraform.tfstate" # オブジェクト名 region = "ap-northeast-1" # region指定 } } ``` bucket作った状態で初期化コマンドを実行すると、S3での管理が開始 ``` terraform init ``` AWS_PROFILE指定時は以下 ``` AWS_PROFILE=seike460 terraform init ```

#### Example (EC2作成) 各種設定値を *.tfファイルに記述 ``` resource "aws_instance" "seike460" { ami = "ami-08847abae18baa040" # Amazon Linux 2 AMI (HVM), SSD Volume Type - ami-08847abae18baa040 availability_zone = "ap-northeast-1c" ebs_optimized = false instance_type = "${lookup(var.settings, "${terraform.workspace}.ec2_instance_type")}" monitoring = false key_name = "seike460.${terraform.workspace}-key" subnet_id = "${aws_subnet.seike460-public-c.id}" vpc_security_group_ids = ["${aws_security_group.seike460-web.id}"] associate_public_ip_address = true source_dest_check = true root_block_device { volume_type = "gp2" volume_size = "${lookup(var.settings, "${terraform.workspace}.ec2_volume_size")}" delete_on_termination = true } tags { "Name" = "seike460-${terraform.workspace}" } } ``` - workspaceで環境切替する - lookup関数を利用して共通設定ファイルを参照

- workspace production、staging、dev等の環境管理 staging用 workspace作成 ``` terraform workspace new staging ``` production用 workspace 切替 ``` terraform workspace select production ``` seike460用 workspace 削除 ``` terraform workspace delete seike460 ```

共通設定ファイル ``` variable settings { type = "map" default = { #production # VPC CIDR block production.cidr_head = "10.10" # Web access allowed IP addresses production.alb_allow_cidr = "0.0.0.0/0" production.web_allow_cidr = "8.8.8.8/32" production.ssh_allow_cidr = "8.8.8.8/32" # EC2 Settings production.ec2_instance_type = "t3.small" production.ec2_volume_size = 50 # staging # VPC CIDR block staging.cidr_head = "10.0" # Web access allowed IP addresses staging.alb_allow_cidr = "8.8.8.8/32" staging.web_allow_cidr = "8.8.8.8/32" staging.ssh_allow_cidr = "8.8.8.8/32" # EC2 Settings staging.ec2_instance_type = "t3.small" staging.ec2_volume_size = 50 } } ```

#### 使えるリソース 使えるリソースを列挙するのは無理なのでこちらをご参照ください https://www.terraform.io/docs/providers/aws/r/instance.html VPC、Subnet、RouteTable等必要なものtfファイルを作成していく

#### terraform plan terraform plan にてテスト及び実行時の変更状況を確認 ``` $ terraform plan Refreshing Terraform state in-memory prior to plan... The refreshed state will be used to calculate this plan, but will not be persisted to local or remote state storage. xxxxx xxxxx aws_instance.seike460: Refreshing state... (ID: i-460460460) xxxxx xxxxx An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: ~ update in-place -/+ destroy and then create replacement Terraform will perform the following actions: -/+ aws_instance.seike460 (new resource required) xxxxxx xxxxxx xxxxxx xxxxxx ami: "ami-08847abae18baa040" => "ami-08847abae18baa040" xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

```

#### terraform apply terraform apply にてDeploy ``` $ terraform apply xxxxx xxxxx aws_instance.tech-fusic: Refreshing state... (ID: i-460460460) xxxxx xxxxx Do you want to perform these actions in workspace "staging"? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes xxxxx xxxxx Apply complete! Resources: 1 added, 0 changed, 1 destroyed. ```

### terraform - terraformで環境構築すれば、コード ＝ 環境の状況が作れる <!-- .element: class="fragment" --> - コード ＝ 環境の状況が作れればCIが出来る <!-- .element: class="fragment" --> - 手でポチポチ作らなければ…(コード ≠ 環境) <!-- .element: class="fragment" --> - awspecで解決 <!-- .element: class="fragment" -->

### awspec? https://github.com/k1LoW/awspec - GMOペパボ所属のk1LoWさん作成のOSS <!-- .element: class="fragment" --> - AWSのリソースに対して Serverspecの用にテスト出来るruby製ツール <!-- .element: class="fragment" --> - CircleCIと連携可能 <!-- .element: class="fragment" -->

### install ``` $ gem install bundler $ bundle init $ echo 'gem "awspec"' >>Gemfile $ echo 'gem "rake"' >>Gemfile $ bundle install --path vendor/bundle $ mkdir spec $ cd spec $ bundle exec awspec init $ vim secrets.yml ``` - secrets.yml ``` region: ap-northeast-1 aws_access_key_id: XxxxxxxxxxxxxxxxxxxX aws_secret_access_key: XxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxX ```

### Specファイル生成 コマンド一発で現状のリソースに対するSpecファイル作成 ``` bundle exec awspec generate security_group vpc-seike460 --secrets-path=spec/secrets.yml ```

### 実行 ``` $ bundle exec rake spec seike460.com ec2 'i-XxxxxxxX' should have tag "Name" … … … … … … Finished in 1 minute 54.24 seconds (files took 5.08 seconds to load) 1347 examples, 0 failures ```

### CircleCI連携 

### awspec - awspec generate にて導入が楽 <!-- .element: class="fragment" --> - CircleCIと連携も楽 <!-- .element: class="fragment" --> - terraform で管理しているインフラの保護 <!-- .element: class="fragment" -->

#### summary - コード = インフラの状況を作り出す <!-- .element: class="fragment" --> - インフラ環境のCI <!-- .element: class="fragment" --> - awspec + CircleCIでterraformを保護 <!-- .element: class="fragment" -->

Thank you! Fusicは技術が大好きなエンジニアを募集しています  https://fusic.github.io/