best practices when using terraform to manage oracle …

Copyright © 2019, eProseed and/or its affiliates. All rights reserved.

BEST PRACTICES WHEN USING TERRAFORM TO MANAGE ORACLE CLOUD INFRASTRUCTURE

Simon HaslameProseed


ABOUT ME

2

Simon Haslam

• Platform / Infrastructure Architect

• Focus includes HA, DR, security, automation

Relevant to this session

• WebLogic / FMW installations since 2000s

• First research/webcast on JCS in 2016

• Designed & built SOA CS integration platform for global use since Oct 2017

• On team migrating eProseed Lux data centres to OCI@simon_haslam

since2009


ABOUT EPROSEED?

3

Oracle ACEDirectors


DISCLAIMER

What is are “best practices” anyway…? ☺

4

Copyright © 2019, eProseed and/or its affiliates. All rights reserved. 5

➢ Why automate OCI provisioning?

➢ Real-world Terraform OCI examples

➢ Terraform ‘better practices’

➢ A few more tips ☺

AGENDA






AGENDA


WHY AUTOMATE OCI PROVISIONING?

7


PAAS PROVISIONING

8


PAAS PROVISIONING

9

Terraform provides an abstraction layer above OCI’s REST APIs


TERRAFORM’S PURPOSE

“Terraform is a tool for building, changing and versioninginfrastructure safely and efficiently”

10

Cloud-agnostic but not generic

(each cloud has own providers)


BOUNDARIES

12

resourcesPROVISIONINGThis provisions resources& optionally calls “provisioner”

e.g.network

VM instancePaaS instance

VM images might be Oracle supplied plain ones, Oracle-supplied

PaaS ones, or your own (e.g. from Packer),

Maintains state of infra

OptionalProvisioner

CONFIGURATIONMANAGEMENTThis configures

resources

e.g.TLS certificates & identity

CM self-registration

Maintains internal state of resources (instances)


TERRAFORM PROVIDERS

• A provider tells Terraform how to build and manage one or many resource types

• Providers are supplied by Hashicorp, a resource provider (like Oracle), or 3rd

party/community

13


MORE ABOUT TERRAFORM PROVIDERS

• Providers are either:

– Integrated: downloaded by Terraform when needed

– Non-integrated: install from 3rd party or write your own

• 3 Oracle-developed providers available:

14

oci oraclepaas

opc

More about these in a minute..These 3 Oracle providers are all now integrated into TF

X X


oci

oraclepaas

opc

almostlegacy

legacy


OCI PROVIDER

Infrastructure & OCI-native PaaS

https://www.terraform.io/docs/providers/oci/index.html

16

Lots of resources- examples:







AGENDA


GETTING STARTED

• You need a host to run Terraform from

– could be your PC, a cloud instance, or build server

• Oracle Linux 7 example:

sudo yum install -y terraform

• Create/reuse .tf config files & set up .tfvars for your account/env

• The .tf files need to have one or more providers specified

18

terraform init

terraform plan

terraform apply

…terraform destroy


DEMO


BIG PICTURE EXAMPLE

20

DRG

Dynamic Routing Gateway

On-prem

Another VCN

Another cloud

admin






AGENDA


1. IT’S NEVER TOO EARLY TO START TERRAFORM

• Using the OCI consoles can be time consuming

• Cumulative effect

• You want to experiment as much as possible

• Exception:Compartment creation: slow, leaves trail don’t (re)create compartments often

22


2. USE SOURCE CODE CONTROL

• Infrastructure as Code… naturally you want to version it

– You probably can’t go back far but you can see who changed what & when

• Use git

– De-facto SCM these days

• Don’t use branches

– Or if you do, have branches for different environments (e.g. Puppet model)

23


3. STORE YOUR .TFSTATE CENTRALLY

• OCI Object storage (simple), or,

• terraform.io service (more advanced)

24


4. USE TERRAFORM 0.12

• Language updates from 0.11 to 0.12

• There’s an auto upgrade from 0.11 to 0.12 but I found a couple of things broke

https://www.terraform.io/upgrade-guides/0-12.html

25

https://www.terraform.io/upgrade-guides/0-12.html


5. STRUCTURE MULTIPLE TF CONFIGURATIONS

• You only want one person at a time making changes in same area

• Probably best to have TF by top-level compartment plus one global

• Depends on organisation structure

26


6. DON’T USE -AUTO-APPROVE

• This is my opinion of a best practice ☺

• -auto-approve means an apply makes changes without prompting

• You get into habit of up-up-return… errors can easily happen

(once, twice,…)

• Exception: use -auto-approve on CI server ☺

27


7. DECIDE WHEN TO USE TF & WHEN NOT

• Terraform:

– Its strength is converged state – use it often but for few changes

– State convergence sophistication is up to the provider developer• Update OCI Instance hostname - good

• Update OCI Database Service PDB name – not so good

– Use for static deployments – compartments, networks, load balancers etc

• Ansible

– Can manage state but often run in fire & forget mode

– Fire & forget is more aligned to traditional change processes

– You need a tool to customise most PaaS instances anyway

– Use for most types of instances

28


8. UPDATE YOUR OCI PROVIDER REGULARLY

• Terraform Provider for OCI changes in 2 ways:

– New features & bug fixes

– Changes to OCI REST APIs

• You may be forced to update it in a hurry otherwise

29


9. USE A MODERN EDITOR + TF PLUG-IN

Extension available for Microsoft VS Code editor

30


10. SUBSCRIBE TO TERRAFORM-PROVIDER-OCI ISSUES

31


TERRAFORM FOR OCI – BETTER PRACTICES

1. Start with Terraform early, really early, on your OCI journey

2. Use Git, but one branch (or one per env for separate TF state)

3. Store your .tfstate centrally (e.g. in OCI object storage bucket)

4. Use Terraform 0.12, especially if starting from scratch

5. Structure multiple TF configurations, probably by compartment

6. Don’t use -auto-approve (except from CI server)

7. Decide when to use TF & when not

8. Update your OCI provider regularly (you may be forced to in a hurry otherwise)

9. Use a modern editor (like VS Code) + TF plug-in

10. Subscribe to terraform-provider-oci issues33






AGENDA


A FEW MORE TIPS

• Watch your costs! This is cloud after all…

• Environment variables

• TF modules are very handy for scaling number of instances

35


ENVIRONMENT VARIABLES FOR DIFFERENT TENANCIES

36

From OCI provider doc:




TERRAFORM MODULES

Our example use case

• Lots of identical compute instances needed for on-prem provisioning automation

• 3 different types of modules:

– Fusion Middleware

– Database

– Provisioning Server

• All VMs identical for module type – pick how many you want

• But YMMV - there may be a better way than this for you ☺

37


TERRAFORM FOR OCI – BETTER PRACTICES

1. Start with Terraform early, really early, on your OCI journey

2. Use Git, but one branch (or one per env for separate TF state)

3. Store your .tfstate centrally (e.g. in OCI object storage bucket)

4. Use Terraform 0.12, especially if starting from scratch

5. Structure multiple TF configurations, probably by compartment

6. Don’t use -auto-approve (except from CI server)

7. Decide when to use TF & when not

8. Update your OCI provider regularly (you may be forced to in a hurry otherwise)

9. Use a modern editor (like VS Code) + TF plug-in

10. Subscribe to terraform-provider-oci issues38


ORACLE EXAMPLES

• https://github.com/oracle/terraform-examplesStarting point for some cases – reasonable activity (91 commits)

• https://oracle.rainfocus.com/widget/oracle/oow18/catalogoow18?search=HOL6376

39

Start here!Probably takes

1-3h

https://github.com/oracle/terraform-examples

https://oracle.rainfocus.com/widget/oracle/oow18/catalogoow18?search=HOL6376


HANDS-ON-LAB TIP

Trial account does not have sufficient compute resources to run the HOL:

=> Raise an SR to get this increased, e.g. to 10 for 2.1 shape (change shape in .tf config):

40Paid for accounts have default limit of 40 per AD for small VMs

https://docs.cloud.oracle.com/iaas/Content/General/Concepts/servicelimits.htm

https://docs.cloud.oracle.com/iaas/Content/General/Concepts/servicelimits.htm


@simon_haslam

Q &

A

Mobile Process / Integration

Analytics / Big Data

Database / Data

Management

Identity & Access

Management

Oracle Cloud

eProseed Confidential42

best practices when using terraform to manage oracle …

Documents