At Drupalcamp Melbourne 2015, I gave a talk about Terraform and how it can be used to keep the state of your infrastructure in configuration management.
What is Terraform?
People who are familiar with Puppet or Chef and similar config management tools will probably grasp the concept of Terraform.
Puppet and Chef manage the configuration or state of things inside your servers. Terraform, developed by Hashicorp (who made Vagrant), takes this a step further and manages the servers themselves as code.
This means that any changes you make to your infrastructure - be it provisioning new servers, adjusting the specification of servers, or adding/removing firewall rules, load balancer configurations etc, can be kept in config files.
This in turn means those changes can be stored in version control - opening up the ability for the change to be peer reviewed, revertable, and auditable.
This is a big deal for ISO27001-compliant organisations that need an audit trail of change and need to vet the change before it's applied.
Aside from the audit trail concept, the pure ability to automate the provisioning process is a huge deal. It also paves the way to develop automatic disaster recovery tests: you ought to aim to get to a point where you can rebuild your entire infrastructure at another hosting provider (or at least a separate AWS region, for example) without having to click any buttons. Terraform can make it possible.
An example to get started
My talk was an abysmal failure - somehow after all these years I forgot the golden rule and attempted a live demo on a dodgy network. What was I thinking?! Amateur hour!
Nevertheless, you can try Terraform for yourself with my demo set of manifests.
Being a Drupalcamp, I tried to make it Drupal-specific and 'in the moment' by having my Terraform manifests automatically install Drupal 8.
The neat trick is that it installs it on the EC2 instance using the database credentials retrieved from the fresh RDS instance it builds :)
Is this the right way to install stuff after provisioning your infrastructure?
A note since some of the pedants at the talk asked....
Obviously the crude bash script provisioner is not the 'right way' to install Apache, PHP etc and Drupal.
You would bake the dependencies into an AMI using something like Packer, or use a simple remote-exec provisioner to bootstrap this stuff via Puppet.
The example shown here is simply a proof of concept to introduce you to some of what's possible in Terraform.
Using the demo manifests
- Step One - grab my sample repository from Bitbucket
- Step Two - create a 'terraform.tfvars' file inside the directory that contains your AWS creds like so:
access_key = "AAAAAAAAAAAAAAAAA" secret_key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
- Step Three - adjust the SSH key in keys.tf
- Step Four - run 'terraform apply'
This may take about 15 minutes (creation of the RDS instance is the slowest part, apparently not because of Terraform but because of AWS).
You should end up with some output that shows the URL of your Drupal 8 site. The output of Terraform will also show the admin credentials of the Drupal 8 site.
Experiment with changing the security.tf or variables.tf to change an IP address in the firewall rule, then run 'terraform plan' and 'terraform apply'. You should see that Terraform will detect what changes need to be made by inspecting the state of your infrastructure.
Much more can be done with Terraform. See the docs. Most of all: have fun!