1 of 22

CONSTRUIRE

SON PROVIDER TERRAFORM

Avantages de l’Infrastructure as Code

Maxime Coulombe

Développeur Logiciel R&D, Coveo�

André Thériault

Chef d’Équipe R&D, Coveo�

1

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

2 of 22

Coveo is a provider of intelligent and predictive search technologies (sometimes known as Insight Engines) that can index information stored in diverse repositories throughout the company, perform usage analytics and metadata enrichment on the indexed content, and make the content findable through search-driven interfaces.

2

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

3 of 22

Infrastructure imposante à maintenir

2000+ serveurs en Production sur plusieurs régions� Plusieurs déploiements par jour� Plusieurs clusters Kubernetes & ECS� Douzaines de databases� 30+ micro-services��

3

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

4 of 22

Construire et maintenir une infrastructure �“the old fashioned way”

4

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

5 of 22

Qu’est-ce que infrastructure as code ?�

resource "digitalocean_droplet" "web" {

name = "web"

size = "512mb",

image = "centos-5-8-x32"

region = "frk1"

}

5

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

6 of 22

Avantages de l’infrastructure as code ?

“C’est pas ma faute, ça fonctionnait en dev”� - Permet de réduire l’asymétrie entre les environnements� - Dry-runs empêchent des erreurs qui affectent les clients

“J’pourrai pas avancer mes features cette avant-midi, on a un déploiement à faire” - Déploiement en une seule (ou plusieurs) commande(s)� - Facilité d’intégration avec les systèmes de CI

“Le gars qui sait comment ça marche est en vacances”� - Documentation avec sa syntaxe déclarative� - Pull-requests facilitent le transfert de connaissances

“Qu’est-ce tu veux dire par roll-back? C’est pas comme ça ça marche de l’infra” - Infrastructure versionnée� - Souvent facile de revenir en arrière�����

6

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

7 of 22

7

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

8 of 22

Comment ça fonctionne ?

Création du plan (> terraform plan)

Execution du plan (> terraform apply)

Destruction du plan (> terraform destroy) ��

Écriture du code terraform

resource "digitalocean_droplet" "web" {

name = "web"

size = "512mb",

image = "centos-5-8-x32"

region = "frk1"

}

Terraform will perform the following actions:

+ digitalocean_droplet.web

id: <computed>

image: "centos-5-8-x32"

ipv4_address: <computed>

region: "frk1"

Plan: 1 to add, 0 to change, 0 to destroy.

8

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

9 of 22

Ne pas se limiter à son Cloud Provider

Providers

Resources

Amazon AWS, Microsoft Azure, ...� Docker, Kubernetes, Nomad, …� Github, Gitlab, Bitbucket� Datadog, Grafana, Logentries� PostgresSQL, MySQL�

Instances, Serveurs, Load Balancers� Services, Pods, Network� Projet, Repositories� Account, Monitors, Dashboards� Databases, Schema, Roles�

9

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

10 of 22

DEMO

10

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

11 of 22

Les 4 phases de la gestion des “secrets” de votre application

  • Mettre dans le code directement .. what could go wrong.
  • Mettre dans un fichier de config .. avec le code.
  • Mettre dans les variables d’environnement sur l’infrastructure.
  • Utiliser une infrastructure de gestion de secrets (Vault, AWS Secret Manager, etc etc)���

11

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

12 of 22

Circle of life

  • Mettre des secrets dans le code ...
  • Mettre ça dans l’infrastructure ...
  • Mon infrastructure c’est du code ...
  • Mettre des secrets dans le code ...���

12

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

13 of 22

Types de secrets

Types

Automatisation

Clefs SSH Comptes utilisateurs de DB Clefs d’encryptions� Clefs d’API, OAuth Secret Keys

ssh-keygen -t rsa -C "email@email" CREATE ROLE david LOGIN; openssl rand -base64 32 POST http://remote-system/apikey

13

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

14 of 22

Types de secrets

Types

Terraform

Clefs SSH Comptes utilisateurs de DB� Clefs d’encryptions� Clefs d’API, OAuth Secret Keys

null_resource / local-exec MySQL / PostgreSQL Provider Random Provider Dépend du système

14

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

15 of 22

Terraform + Golang = Custom Provider

In Terraform, a Provider is the logical abstraction of an upstream API. This guide details how to build a custom provider for Terraform.

�Terraform supports a plugin model, and all providers are actually plugins. Plugins are distributed as Go binaries.

15

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

16 of 22

Création de son provider

Un provider est tout simplement un objet, contenant des resources

package main

import (

"github.com/hashicorp/terraform/helper/schema"

)

func Provider() *schema.Provider {

return &schema.Provider{

ResourcesMap: map[string]*schema.Resource{},

}

}

16

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

17 of 22

Création de ses resources

Une resource est la représentation d’une composante de notre provider.

func resourceServer() *schema.Resource {

return &schema.Resource{

Create: resourceServerCreate,

Read: resourceServerRead,

Update: resourceServerUpdate,

Delete: resourceServerDelete,

Schema: map[string]*schema.Schema{

"address": &schema.Schema{

Type: schema.TypeString,

Required: true,

},

[...]

17

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

18 of 22

Création de son “provider”

Une resource peut invoquer 4* actions: “Create”, “Read”, “Update” et “Delete”

func resourceServerCreate(d *schema.ResourceData, m interface{}) error {

return resourceServerRead(d, m)

}

func resourceServerRead(d *schema.ResourceData, m interface{}) error {

return nil

}

func resourceServerUpdate(d *schema.ResourceData, m interface{}) error {

return resourceServerRead(d, m)

}

func resourceServerDelete(d *schema.ResourceData, m interface{}) error {

return nil

}

18

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

19 of 22

Planification de notre provider Coveo�

Organisation

Source de documents

Utilisateurs

Rapports

[...]

Clefs API

19

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

20 of 22

Planification de notre provider Coveo�

Provider - Coveo

Resource - Organization

Id

Nom

Resource - Clef API

Nom

Description

Valeur

Permissions

20

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

21 of 22

DEMO

21

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL

22 of 22

Merci

Notre blog technique source.coveo.com Nos projets github.com/coveo Providers Terraform terraform.io/docs/providers/� Référence custom provider terraform.io/docs/extend/��

22

Copyright © 2018 Coveo Solutions Inc. All rights reserved. Proprietary and CONFIDENTIAL