Oracle Cloud deployment with Terraform

BASEL | BERN | BRUGG | BUKAREST | DÜSSELDORF | FRANKFURT A.M. | FREIBURG I.BR. | GENF
HAMBURG | KOPENHAGEN | LAUSANNE | MANNHEIM | MÜNCHEN | STUTTGART | WIEN | ZÜRICH
Stefan Oehrli
Platform Architect, Trainer and Partner at Trivadis
• Since 1997 active in various IT areas
• Since 2008 with Trivadis AG
• More than 20 years of experience in Oracle databases
Focus: Protecting data and operating databases securely
• Security assessments and reviews
• Database security concepts and their implementation
• Oracle Backup & Recovery concepts and troubleshooting
• Oracle Enterprise User Security, Advanced Security, Database Vault, …
• Oracle Directory Services
Co-author of the book The Oracle DBA (Hanser, 2016/07)
@stefanoehrli www.oradba.ch

29.10.2020 APACOUC - Oracle Cloud deployment with Terraform3

Agenda
• Introduction
• Terraform in a Nutshell
• First Steps
• Next Steps and Use Cases
• Good Practice
• Further considerations
• Summary

Agenda
• Introduction
• First Steps
• Good Practice
• Summary

Introduction
• Different methods to provision resources in clouds
• First introduction usually OCI Console
• Browser based UI e.g.
https://console.eu-zurich-1.oraclecloud.com
• No automation
• Further methods provided by Oracle
• Oracle Cloud Command Line Interface oci-cli
• Oracle Cloud Infrastructure REST APIs
• Several OCI SDKs for common languages e.g. Phyton, Java, …
• Oracle Cloud Infrastructure Cloud (OCI) Shell
• None to moderate automation

Introduction
• The SDK and REST API based approaches usually requires programming
• Time consuming
• Imperative vs. declarative
• Everything must be specified explicitly
• I once built an OCI based training environment with oci-cli
• oci-cli and bash at its best…
• The key word is infrastructure as code (IaC)
• Management of infrastructure in a descriptive model
• same source code generates the same environment
• key DevOps practice
• Several popular IaC Tools available
• Chef, Puppet, Ansible, SaltStack, CloudFormation, Terraform, …
• Whereby the fields of application more or less differ

Agenda
• Introduction
• First Steps
• Good Practice
• Summary

Terraform in a Nutshell
Source: Universe Today The Definitive Guide To Terraforming (February 2016)

Terraform History
• Terraform for Generation X
• dictionary.com: To alter the environment of (a celestial body)
in order to make capable of supporting
terrestrial life forms
• Pure science fiction J …
• … frequently a topic in SF books, films, TV series, etc. (Star Trek vs Star Wars)
• Terraform for Millennials
• Open Source Software by HashiCorp
• Initial release mid 2014, current stable release 0.13.4
• Infrastructure as code software tool
• Declarative configuration language
• Written in go (see https://github.com/hashicorp/terraform)
• Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently

One ring to rule them all…
• Almost any infrastructure can be represented as a resource in Terraform
• Terraform uses a declarative and not procedural language
• It generates an execution plan…
• … executes it to build the described infrastructure
• Terraform and its declarative configuration language is not generic
• Configurations cannot simply be deployed on any cloud
• Usually they have to be rewritten for other cloud providers
• Terraform is cloud-agnostic
• Each configuration is bound to a cloud provider
• The current state of an Infrastructure has to be maintained by terraform
• Kept in a state file terraform.tfstate
• Used to plan and apply changes to an infrastructure

Terraform Components
• Configuration Language
• A language describing an intended goal rather than the steps to reach that goal
• Providers - are responsible for understanding API interactions and exposing resources
• They tell Terraform how to build and manage one or many resource types
• Available via Terraform Registry or GitHub (https://github.com/terraform-providers)
• Modules – are containers for multiple resources that are used together
• Can be used to create abstraction
• Modules itself can use other modules
• Available via Terraform Registry, local path or source control (github, bucket,…)
• Backends - determines how state is loaded and how an operation such as apply is executed

Terraform Provider

Terraform Provider
• Providers are supplied by …
• … Hashicorp
• … a resource provider
• … 3rd party/community
• The providers are either be
• Integrated downloaded by Terraform when needed
• Non-integrated own or 3rd party provider manually installed
• There are three Oracle Provider available
• Oracle Cloud Infrastructure (OCI) provider see
https://registry.terraform.io/providers/hashicorp/oci/latest
• Oracle Platform Cloud provider see
https://registry.terraform.io/providers/hashicorp/oraclepaas/latest
• Oracle Cloud Infrastructure Classic provider see
https://registry.terraform.io/providers/hashicorp/opc/latest

Terraform OCI Provider
• OCI Provider in Terraform Registry https://registry.terraform.io/providers/hashicorp/oci/latest
• Link to source including examples
• Link to documentation

Terraform and other IaC Tools
• Terraform is used to …
• … create immutable infrastructures
• … describe an infrastructure rather than define the procedure to how to provision it
• … is declarative
• … focus on provisioning e.g. it is not a configuration management tool
• … does deploy version x of IaC to … e.g. does not “upgrade” a infrastructure
• Alternatives to Terraform are available
• Tools like Ansible, Puppet and Chef
• Do build mutable infrastructure
• Are rather a configuration management
• In most cases procedural

Agenda
• Introduction
• First Steps
• Good Practice
• Summary

brew install terraform
user@gaia:~/ [ic19300] terraform -version
Terraform v0.13.5
First Steps - Installation
• Available for common OS e.g. Linux, MacOS, Windows, Solaris etc.
https://www.terraform.io/downloads.html
• Recommended to use the latest stable release
• Terraform 0.13.4 introduced a couple of features like loop/count support for modules
• Installation on MacOS is straight forward using brew

• Copy the public key to your user account
• Go to User Settings
• Click API Keys
• Click Add Public Key
•
mkdir $HOME/.oci
openssl genrsa -out $HOME/.oci/oci_user.pem 2048
chmod 600 $HOME/.oci/oci_user.pem
openssl rsa -pubout -in $HOME/.oci/oci_user.pem
-out $HOME/.oci/ oci_user_public.pem
First Steps - Configure
• OCI Terraform Provider requires configuration to be able to access OCI resources
• Create RSA keys to authenticate against OCI
• Configure Terraform Provider
• An example

• Gather Required Information from OCI Console
• Tenancy OCID: <tenancy-ocid>
• From your user avatar, go to Tenancy:<your-tenancy> and copy OCID
• User OCID: <user-ocid>
• From your user avatar, go to User Settings and copy OCID.
• Fingerprint: <fingerprint>
• From your user avatar, go to User Settings and click API Keys
• Copy the fingerprint associated with the RSA public key you made before
• Region: <region-identifier>
• From the top navigation bar, find your region

provider "oci" {
tenancy_ocid = "ocid1.tenancy.oc1..aaaaaxuk4je4tqv3nz64s4dmq…"
user_ocid = "ocid1.user.oc1..aaaadwaaqddbuc3sws4ad4kezkmq…"
fingerprint = "4d:e7:ff:8b:35:a9:c9:c7:3e:c9:1f:2a:c7:34:54:00"
private_key_path = ".oci/oci_user.pem"
region = "eu-zurich-1"
}
• Create a folder for your Terraform configuration e.g. test
• Create a simple file provider.tf with the information collected above.
• For testing this might be ok
• But if you store the config in version control, you would store your credential information
• It is higly recommended to define variables and store information outside of your config
• E.g. environment variables

• Dedicated Variable file e.g. variables.tf
provider "oci" {
tenancy_ocid = var.tenancy_ocid
user_ocid = var.user_ocid
fingerprint = var.fingerprint
private_key_path = var.private_key_path
region = var.region
}
variable "user_ocid" {
description = "user OCID used to access OCI"
type = string
}
variable "fingerprint" {}
variable "private_key_path" {}
• Same provider.tf file with variables

• Or as environment variable with the prefix TF_VAR
# provider identity parameters ------------------------------------
region = "eu-zurich-1"
export TF_VAR_fingerprint="d4:d7:af:8b:c1:f9:c9:b7:3e:c9:1f:2a:c7:3b:54:00"
export TF_VAR_user_ocid="ocid1.user.oc1..aaaadwaaqddbuc3sws4ad4kezkmq…"
• The values can then either be defined in a terraform.tfvars file
• Keep the authentication information separate from your terraform configuration
• Can be reused for other configurations

• Validate your terraform configuration
terraform init
terraform validate
First Steps – Init, Plan, Apply
• Initialize the terraform configuration
• this will create the .terraform folder and download required providers / modules
• Plan the terraform provisioning
terraform plan –out=test.tfplan
• Apply the plan
terraform apply test.tfplan

• Results will be shown by the output
data "oci_core_images" "oracle_images" {
compartment_id = var.compartment_id
operating_system = var.ux_host_os
sort_by = "TIMECREATED"
}
output "oracle_images" {
description = "List of available Oracle Images."
value = data.oci_core_images.oracle_images
}
First Steps – What's inside
• A simple data source to ”query” information in OCI

Agenda
• Introduction
• First Steps
• Good Practice
• Summary

Next Steps
• Example was rather simple
• OCI Provider does provide a couple of resources and data sources, see
https://registry.terraform.io/providers/hashicorp/oci/latest/docs
• Comprehensive provider documentation with examples

Next Steps
• Start to build small infrastructure configuration
• Combine them if necessary e.g.
• Configuration for a Network / VCN setup
• Configuation for an Autonomouse Database
• Avoid to create a huge infrastructur configuration
• Here again “One ring to rule them all,…” does not make sense
• It gets cumbersome
• Source for failure does increase
• Start to consider using Modules
• Define reusable Infrastructure components
• Container for multiple resources that are used together

Modules
• Modules generally define at least the following configuration:
• Input variables to accept values from the calling module
• Output values to return results to the calling module
• Resources to define one or more infrastructure objects that the module will manage
• Terraform recommend to follow a standard structure for the module incl. files and folder
• Root module
• README file documenting the module
• Configuration files main.tf, variables.tf, outputs.tf
• Example how to use the module
• Nested modules

module "lab_compartment" {
source = "../modules/lab_compartment"
lab_compartment_name = var.tag_tvd_training
base_compartment_ocid = var.training_compartment_ocid
}
Module Sources
• Modules are eiterh local or in a remote location
• Specified by the source argument in the module blocke
• Remote locations for Modules are…
• … Terraform Registry, which are usually also in a GitHub repository
• … GitHuB, Bitbucket or a generic git repository
• … http URLs and buckets like S3 or GCS
• Terraform will download / copy modules in use to the local .terraform folder

module "tvdlab-vcn" {
source = "Trivadis/tvdlab-vcn/oci”
version = "1.1.3"
# insert the 2 required variables here
}
Terraform Registry
• Directly integrated into Terraform
• Terraform will download required providers or module during terraform init
• Location for integrations (providers) and configuration packages (modules)
• developed by HashiCorp
• Third party vendors
• Terraform community
• Does provide basic documentation depending on source
• Readme, input/output values, dependencies and resource

Terraform Registry

Trivadis OCI Module - tvdlab-base
• Combinded Module in Terraform Repository
• Depends on
• tvdlab-bastion to build a bastion host
• tvdlab-db to build a db host
• tvdlab-vcn to build a VCN
• Based on Oracle Module with similar use cases
• But do support count to create n-number of similar instances
• Base Module to build training / lab environments
• VCN setup with a public and private network
• Accessible via bastion host
• Access via SSH or HTTP guacamole

Trivadis OCI Module

Trivadis LAB
• Trivadis Training start using OCI for there Oracle Based Trainings
• Setup and Configure Infrastructure using Terraform
• Define reusable components e.g. Modules
• Module for VCN with private and public subnet
• Module for Bastion host with dedicated bootstrap script
• Module for compute instance
• Module for other resources
• Provision the number of environments based on trainis
• Simply specify TF_VAR_tvd_participants to add n-numbers of environments

Trivadis LAB – O-SEC

.
├── O-SEC.tfplan
├── README.md
├── additional_oud_host.tf
├── additional_win_host.tf
├── compartment.tf
├── datasource.tf
├── etc
│ └── README.md
├── local.tf
├── main.tf
├── outputs.tf
├── provider.tf
├── scripts
│ ├── README.md
│ ├── bootstrap_bastion.sh
│ └── dbv.sql
├── terraform.tfvars
└── variables.tf
Trivadis LAB – O-SEC

Trivadis LAB – O-AI

Agenda
• Introduction
• First Steps
• Good Practice
• Summary

terraform {
required_version = ">= 0.13.0"
backend "http" {
update_method = "PUT"
address = "https://objectstorage.eu-zurich-1.../terraform.tfstate"
}
}
Good Practice
• Use Terraform relatively early in your OCI journey
• Use a version control system preferable git
• Create separate repository for configuration, modules etc
• Store the *.tfstate file centrally e.g. in OCI object storage
• Alternatively other backends are supported

Good Practice
• Use the latest version of Terraform at least 0.13.x
• Support for count/loop etc in modules
• In particular if you start from scratch any way
• Keep your TF configuration simple
• Create multiple files
• Separate by compartments etc.
• Be careful when re-run apply
• A new bootstrap script can cause the compute instance to be recreated
• Do not use -auto-approve or –force
• This means an apply makes changes without prompting
• Your resources can be gone faster than you would like

Good Practice
• Have a clear strategy when to use TF & when not
• Probably combination with HashiCorp Packer, Ansible etc
• Update your OCI provider regularly
• It can happen that you are forced to do this at the wrong moment
• Just quickly make a small change...
• Use a Tool like VS Code with TF plug-in
• Subscribe to the OCI and terraform-provider-oci issues

Agenda
• Introduction
• First Steps
• Good Practice
• Summary

Graphs and Resource Discovery
• Visualisation with terraform graph
• Create a visual graph of Terraform resources
• .dot file create by terraform
• Helpful to diagnosing errors
• Can become rather complex
• Provider based resource discovery
• Functionality provided by the provider itself
• Used to identify gap between current state and plan
• Used to create terraform configuration of an existing environment
• Oracle does use this in OCI itself to define Stacks

echo "module.tvdlab-base.bastion_public_ip.0"| terraform console
Terraform Console
• interactive console for evaluating expressions
• Interacting with the current state of a terraform configuration
• Does work with local an remote state
• If state is empty used to experiment with the expression syntax
• Can also be use for scripting
• grab some information from a state e.g. IP addresses of a bastion host.

Further considerations
• OCI Resource manager
• Allows to define OCI Stacks using Terraform
• Based on existing Configuration or discovery

Where to Start
• Information from Terraform
• Terraform eLearnings
• Documentation and white papers
• Oracle examples
• Oracle Based resources like
• OCI Development Documentation
• Oracle OCI Provider github repository with examples
• Oracle Terraform Registry modules
• Blog posts and cummunity projects / repositories

Agenda
• Introduction
• First Steps
• Good Practice
• Summary

Summary
• Terraform is a useful tool for implementing IaC with OCI
• a clear strategy is essential
• It can happen that you get lost by engineering the “one configuration to rule them all…”
• Consider to use Modules to combine configurations which are reused often
• Consider the good practice
• It is worth having a look at the different resource from Terraform and Oracle
• Get some Ideas
• Examples for the own infrastructure
• And if you wait until your 20 computing instances are deployed…
• … it might be time to watch one of the old SF movies / TV shows

References
• Oracle Terraform Examples https://github.com/oracle/terraform-examples
• Oracle learning Library https://github.com/oracle/learning-library
• Oracle OCI CLI https://github.com/oracle/oci-cli
• Oracle OCI Documentation:
• Terraform https://docs.cloud.oracle.com/en-us/iaas/Content/API/SDKDocs/terraform.htm
• SDK https://docs.cloud.oracle.com/en-us/iaas/Content/API/Concepts/sdks.htm
• REST API https://docs.cloud.oracle.com/en-us/iaas/Content/API/Concepts/cliconcepts.htm
• Terraform OCI Provider with examples
• https://github.com/terraform-providers/terraform-provider-oci
• Terraform Documentation https://www.terraform.io/docs/index.html
• CLI, Provider and much more.

Oracle Cloud deployment with Terraform

More Related Content

What's hot (20)

Similar to Oracle Cloud deployment with Terraform (20)

More from Stefan Oehrli (16)

Recently uploaded (20)

Oracle Cloud deployment with Terraform