Oracle Cloud deployment with Terraform

BASEL | BERN | BRUGG | BUKAREST | DÜSSELDORF | FRANKFURT A.M. | FREIBURG I.BR. | GENF
HAMBURG | KOPENHAGEN | LAUSANNE | MANNHEIM | MÜNCHEN | STUTTGART | WIEN | ZÜRICH
Stefan Oehrli
Platform Architect, Trainer and Partner at Trivadis
• Since 1997 active in various IT areas
• Since 2008 with Trivadis AG
• More than 20 years of experience in Oracle databases
Focus: Protecting data and operating databases securely
• Security assessments and reviews
• Database security concepts and their implementation
• Oracle Backup & Recovery concepts and troubleshooting
• Oracle Enterprise User Security, Advanced Security, Database Vault, …
• Oracle Directory Services
Co-author of the book The Oracle DBA (Hanser, 2016/07)
@stefanoehrli www.oradba.ch

29.10.2020 APACOUC - Oracle Cloud deployment with Terraform3

Agenda
• Introduction
• Terraform in a Nutshell
• First Steps
• Next Steps and Use Cases
• Good Practice
• Further considerations
• Summary

Agenda
• Introduction
• First Steps
• Good Practice
• Summary

Introduction
• Different methods to provision resources in clouds
• First introduction usually OCI Console
• Browser based UI e.g.
https://console.eu-zurich-1.oraclecloud.com
• No automation
• Further methods provided by Oracle
• Oracle Cloud Command Line Interface oci-cli
• Oracle Cloud Infrastructure REST APIs
• Several OCI SDKs for common languages e.g. Phyton, Java, …
• Oracle Cloud Infrastructure Cloud (OCI) Shell
• None to moderate automation

Introduction
• The SDK and REST API based approaches usually requires programming
• Time consuming
• Imperative vs. declarative
• Everything must be specified explicitly
• I once built an OCI based training environment with oci-cli
• oci-cli and bash at its best…
• The key word is infrastructure as code (IaC)
• Management of infrastructure in a descriptive model
• same source code generates the same environment
• key DevOps practice
• Several popular IaC Tools available
• Chef, Puppet, Ansible, SaltStack, CloudFormation, Terraform, …
• Whereby the fields of application more or less differ

Agenda
• Introduction
• First Steps
• Good Practice
• Summary

Terraform in a Nutshell
Source: Universe Today The Definitive Guide To Terraforming (February 2016)

Terraform History
• Terraform for Generation X
• dictionary.com: To alter the environment of (a celestial body)
in order to make capable of supporting
terrestrial life forms
• Pure science fiction J …
• … frequently a topic in SF books, films, TV series, etc. (Star Trek vs Star Wars)
• Terraform for Millennials
• Open Source Software by HashiCorp
• Initial release mid 2014, current stable release 0.13.4
• Infrastructure as code software tool
• Declarative configuration language
• Written in go (see https://github.com/hashicorp/terraform)
• Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently

One ring to rule them all…
• Almost any infrastructure can be represented as a resource in Terraform
• Terraform uses a declarative and not procedural language
• It generates an execution plan…
• … executes it to build the described infrastructure
• Terraform and its declarative configuration language is not generic
• Configurations cannot simply be deployed on any cloud
• Usually they have to be rewritten for other cloud providers
• Terraform is cloud-agnostic
• Each configuration is bound to a cloud provider
• The current state of an Infrastructure has to be maintained by terraform
• Kept in a state file terraform.tfstate
• Used to plan and apply changes to an infrastructure

Terraform Components
• Configuration Language
• A language describing an intended goal rather than the steps to reach that goal
• Providers - are responsible for understanding API interactions and exposing resources
• They tell Terraform how to build and manage one or many resource types
• Available via Terraform Registry or GitHub (https://github.com/terraform-providers)
• Modules – are containers for multiple resources that are used together
• Can be used to create abstraction
• Modules itself can use other modules
• Available via Terraform Registry, local path or source control (github, bucket,…)
• Backends - determines how state is loaded and how an operation such as apply is executed

Terraform Provider

Terraform Provider
• Providers are supplied by …
• … Hashicorp
• … a resource provider
• … 3rd party/community
• The providers are either be
• Integrated downloaded by Terraform when needed
• Non-integrated own or 3rd party provider manually installed
• There are three Oracle Provider available
• Oracle Cloud Infrastructure (OCI) provider see
https://registry.terraform.io/providers/hashicorp/oci/latest
• Oracle Platform Cloud provider see
https://registry.terraform.io/providers/hashicorp/oraclepaas/latest
• Oracle Cloud Infrastructure Classic provider see
https://registry.terraform.io/providers/hashicorp/opc/latest

Terraform OCI Provider
• OCI Provider in Terraform Registry https://registry.terraform.io/providers/hashicorp/oci/latest
• Link to source including examples
• Link to documentation

Terraform and other IaC Tools
• Terraform is used to …
• … create immutable infrastructures
• … describe an infrastructure rather than define the procedure to how to provision it
• … is declarative
• … focus on provisioning e.g. it is not a configuration management tool
• … does deploy version x of IaC to … e.g. does not “upgrade” a infrastructure
• Alternatives to Terraform are available
• Tools like Ansible, Puppet and Chef
• Do build mutable infrastructure
• Are rather a configuration management
• In most cases procedural

Agenda
• Introduction
• First Steps
• Good Practice
• Summary

brew install terraform
user@gaia:~/ [ic19300] terraform -version
Terraform v0.13.5
First Steps - Installation
• Available for common OS e.g. Linux, MacOS, Windows, Solaris etc.
https://www.terraform.io/downloads.html
• Recommended to use the latest stable release
• Terraform 0.13.4 introduced a couple of features like loop/count support for modules
• Installation on MacOS is straight forward using brew

• Copy the public key to your user account
• Go to User Settings
• Click API Keys
• Click Add Public Key
•
mkdir $HOME/.oci
openssl genrsa -out $HOME/.oci/oci_user.pem 2048
chmod 600 $HOME/.oci/oci_user.pem
openssl rsa -pubout -in $HOME/.oci/oci_user.pem
-out $HOME/.oci/ oci_user_public.pem
First Steps - Configure
• OCI Terraform Provider requires configuration to be able to access OCI resources
• Create RSA keys to authenticate against OCI
• Configure Terraform Provider
• An example

• Gather Required Information from OCI Console
• Tenancy OCID: <tenancy-ocid>
• From your user avatar, go to Tenancy:<your-tenancy> and copy OCID
• User OCID: <user-ocid>
• From your user avatar, go to User Settings and copy OCID.
• Fingerprint: <fingerprint>
• From your user avatar, go to User Settings and click API Keys
• Copy the fingerprint associated with the RSA public key you made before
• Region: <region-identifier>
• From the top navigation bar, find your region

provider "oci" {
tenancy_ocid = "ocid1.tenancy.oc1..aaaaaxuk4je4tqv3nz64s4dmq…"
user_ocid = "ocid1.user.oc1..aaaadwaaqddbuc3sws4ad4kezkmq…"
fingerprint = "4d:e7:ff:8b:35:a9:c9:c7:3e:c9:1f:2a:c7:34:54:00"
private_key_path = ".oci/oci_user.pem"
region = "eu-zurich-1"
}
• Create a folder for your Terraform configuration e.g. test
• Create a simple file provider.tf with the information collected above.
• For testing this might be ok
• But if you store the config in version control, you would store your credential information
• It is higly recommended to define variables and store information outside of your config
• E.g. environment variables

• Dedicated Variable file e.g. variables.tf
provider "oci" {
tenancy_ocid = var.tenancy_ocid
user_ocid = var.user_ocid
fingerprint = var.fingerprint
private_key_path = var.private_key_path
region = var.region
}
variable "user_ocid" {
description = "user OCID used to access OCI"
type = string
}
variable "fingerprint" {}
variable "private_key_path" {}
• Same provider.tf file with variables

• Or as environment variable with the prefix TF_VAR
# provider identity parameters ------------------------------------
region = "eu-zurich-1"
export TF_VAR_fingerprint="d4:d7:af:8b:c1:f9:c9:b7:3e:c9:1f:2a:c7:3b:54:00"
export TF_VAR_user_ocid="ocid1.user.oc1..aaaadwaaqddbuc3sws4ad4kezkmq…"
• The values can then either be defined in a terraform.tfvars file
• Keep the authentication information separate from your terraform configuration
• Can be reused for other configurations

• Validate your terraform configuration
terraform init
terraform validate
First Steps – Init, Plan, Apply
• Initialize the terraform configuration
• this will create the .terraform folder and download required providers / modules
• Plan the terraform provisioning
terraform plan –out=test.tfplan
• Apply the plan
terraform apply test.tfplan

• Results will be shown by the output
data "oci_core_images" "oracle_images" {
compartment_id = var.compartment_id
operating_system = var.ux_host_os
sort_by = "TIMECREATED"
}
output "oracle_images" {
description = "List of available Oracle Images."
value = data.oci_core_images.oracle_images
}
First Steps – What's inside
• A simple data source to ”query” information in OCI

Agenda
• Introduction
• First Steps
• Good Practice
• Summary

Next Steps
• Example was rather simple
• OCI Provider does provide a couple of resources and data sources, see
https://registry.terraform.io/providers/hashicorp/oci/latest/docs
• Comprehensive provider documentation with examples

Next Steps
• Start to build small infrastructure configuration
• Combine them if necessary e.g.
• Configuration for a Network / VCN setup
• Configuation for an Autonomouse Database
• Avoid to create a huge infrastructur configuration
• Here again “One ring to rule them all,…” does not make sense
• It gets cumbersome
• Source for failure does increase
• Start to consider using Modules
• Define reusable Infrastructure components
• Container for multiple resources that are used together

Modules
• Modules generally define at least the following configuration:
• Input variables to accept values from the calling module
• Output values to return results to the calling module
• Resources to define one or more infrastructure objects that the module will manage
• Terraform recommend to follow a standard structure for the module incl. files and folder
• Root module
• README file documenting the module
• Configuration files main.tf, variables.tf, outputs.tf
• Example how to use the module
• Nested modules

module "lab_compartment" {
source = "../modules/lab_compartment"
lab_compartment_name = var.tag_tvd_training
base_compartment_ocid = var.training_compartment_ocid
}
Module Sources
• Modules are eiterh local or in a remote location
• Specified by the source argument in the module blocke
• Remote locations for Modules are…
• … Terraform Registry, which are usually also in a GitHub repository
• … GitHuB, Bitbucket or a generic git repository
• … http URLs and buckets like S3 or GCS
• Terraform will download / copy modules in use to the local .terraform folder

module "tvdlab-vcn" {
source = "Trivadis/tvdlab-vcn/oci”
version = "1.1.3"
# insert the 2 required variables here
}
Terraform Registry
• Directly integrated into Terraform
• Terraform will download required providers or module during terraform init
• Location for integrations (providers) and configuration packages (modules)
• developed by HashiCorp
• Third party vendors
• Terraform community
• Does provide basic documentation depending on source
• Readme, input/output values, dependencies and resource

Terraform Registry

Trivadis OCI Module - tvdlab-base
• Combinded Module in Terraform Repository
• Depends on
• tvdlab-bastion to build a bastion host
• tvdlab-db to build a db host
• tvdlab-vcn to build a VCN
• Based on Oracle Module with similar use cases
• But do support count to create n-number of similar instances
• Base Module to build training / lab environments
• VCN setup with a public and private network
• Accessible via bastion host
• Access via SSH or HTTP guacamole

Trivadis OCI Module

Trivadis LAB
• Trivadis Training start using OCI for there Oracle Based Trainings
• Setup and Configure Infrastructure using Terraform
• Define reusable components e.g. Modules
• Module for VCN with private and public subnet
• Module for Bastion host with dedicated bootstrap script
• Module for compute instance
• Module for other resources
• Provision the number of environments based on trainis
• Simply specify TF_VAR_tvd_participants to add n-numbers of environments

Trivadis LAB – O-SEC

.
├── O-SEC.tfplan
├── README.md
├── additional_oud_host.tf
├── additional_win_host.tf
├── compartment.tf
├── datasource.tf
├── etc
│ └── README.md
├── local.tf
├── main.tf
├── outputs.tf
├── provider.tf
├── scripts
│ ├── README.md
│ ├── bootstrap_bastion.sh
│ └── dbv.sql
├── terraform.tfvars
└── variables.tf
Trivadis LAB – O-SEC

Trivadis LAB – O-AI

Agenda
• Introduction
• First Steps
• Good Practice
• Summary

terraform {
required_version = ">= 0.13.0"
backend "http" {
update_method = "PUT"
address = "https://objectstorage.eu-zurich-1.../terraform.tfstate"
}
}
Good Practice
• Use Terraform relatively early in your OCI journey
• Use a version control system preferable git
• Create separate repository for configuration, modules etc
• Store the *.tfstate file centrally e.g. in OCI object storage
• Alternatively other backends are supported

Good Practice
• Use the latest version of Terraform at least 0.13.x
• Support for count/loop etc in modules
• In particular if you start from scratch any way
• Keep your TF configuration simple
• Create multiple files
• Separate by compartments etc.
• Be careful when re-run apply
• A new bootstrap script can cause the compute instance to be recreated
• Do not use -auto-approve or –force
• This means an apply makes changes without prompting
• Your resources can be gone faster than you would like

Good Practice
• Have a clear strategy when to use TF & when not
• Probably combination with HashiCorp Packer, Ansible etc
• Update your OCI provider regularly
• It can happen that you are forced to do this at the wrong moment
• Just quickly make a small change...
• Use a Tool like VS Code with TF plug-in
• Subscribe to the OCI and terraform-provider-oci issues

Agenda
• Introduction
• First Steps
• Good Practice
• Summary

Graphs and Resource Discovery
• Visualisation with terraform graph
• Create a visual graph of Terraform resources
• .dot file create by terraform
• Helpful to diagnosing errors
• Can become rather complex
• Provider based resource discovery
• Functionality provided by the provider itself
• Used to identify gap between current state and plan
• Used to create terraform configuration of an existing environment
• Oracle does use this in OCI itself to define Stacks

echo "module.tvdlab-base.bastion_public_ip.0"| terraform console
Terraform Console
• interactive console for evaluating expressions
• Interacting with the current state of a terraform configuration
• Does work with local an remote state
• If state is empty used to experiment with the expression syntax
• Can also be use for scripting
• grab some information from a state e.g. IP addresses of a bastion host.

Further considerations
• OCI Resource manager
• Allows to define OCI Stacks using Terraform
• Based on existing Configuration or discovery

Where to Start
• Information from Terraform
• Terraform eLearnings
• Documentation and white papers
• Oracle examples
• Oracle Based resources like
• OCI Development Documentation
• Oracle OCI Provider github repository with examples
• Oracle Terraform Registry modules
• Blog posts and cummunity projects / repositories

Agenda
• Introduction
• First Steps
• Good Practice
• Summary

Summary
• Terraform is a useful tool for implementing IaC with OCI
• a clear strategy is essential
• It can happen that you get lost by engineering the “one configuration to rule them all…”
• Consider to use Modules to combine configurations which are reused often
• Consider the good practice
• It is worth having a look at the different resource from Terraform and Oracle
• Get some Ideas
• Examples for the own infrastructure
• And if you wait until your 20 computing instances are deployed…
• … it might be time to watch one of the old SF movies / TV shows

References
• Oracle Terraform Examples https://github.com/oracle/terraform-examples
• Oracle learning Library https://github.com/oracle/learning-library
• Oracle OCI CLI https://github.com/oracle/oci-cli
• Oracle OCI Documentation:
• Terraform https://docs.cloud.oracle.com/en-us/iaas/Content/API/SDKDocs/terraform.htm
• SDK https://docs.cloud.oracle.com/en-us/iaas/Content/API/Concepts/sdks.htm
• REST API https://docs.cloud.oracle.com/en-us/iaas/Content/API/Concepts/cliconcepts.htm
• Terraform OCI Provider with examples
• https://github.com/terraform-providers/terraform-provider-oci
• Terraform Documentation https://www.terraform.io/docs/index.html
• CLI, Provider and much more.

Oracle Cloud deployment with Terraform

More Related Content

Oracle Cloud deployment with Terraform