Architecting AWS with Terraform E-Book

Architecting AWS with Terraform

Design resilient and secure Cloud Infrastructures with Terraform on Amazon Web Services

Erol Kavas

BIRMINGHAM—MUMBAI

Architecting AWS with Terraform

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Preet Ahuja

Publishing Product Manager: Niranjan Naikwadi

Senior Editor: Divya Vijayan

Technical Editor: Irfa Ansari

Copy Editor: Safis Editing

Project Coordinator: Ashwin Kharwa

Proofreader: Safis Editing

Indexer: Rekha Nair

Production Designer: Prashant Ghare

Marketing Coordinator: Rohan Dobhal

First published: December 2023

Production reference: 1071223

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB

ISBN 978-1-80324-856-1

www.packtpub.com

To my incredible wife, Mihrimah, whose steadfast support and unwavering belief in me have been my guiding light through every challenge and triumph. Your selfless dedication and willingness to help, no matter the circumstances, have been the foundation upon which I have built my dreams. You are my rock, my partner, and my inspiration. This book is a testament to your love and support.

– Erol Kavas

Contributors

About the author

Erol Kavas is a renowned multi-cloud expert and cloud evangelist in Canada, with over 20 years of industry experience. As a Microsoft Certified Trainer (MCT) Regional Lead and an AWS Ambassador, Erol is a recognized authority in cloud computing. His career spans roles such as solutions architect, security architect, enterprise architect, and delivery lead. Erol’s passion lies in helping enterprises become future-proof, with cutting-edge cloud infrastructure and security solutions. He holds over 100 certificates in cloud, security, and project management. Currently, Erol serves as a director in the cloud and data team at PwC Canada.

I want to thank the people who have been close to me and supported me, especially my wife, Mihrimah, my kids, Esad and Azra, and my colleagues.

About the reviewers

Hamza Koc has accumulated over five years of expertise in software development, cloud infrastructure, and DevOps. He stands out for his profound understanding of major cloud platforms, particularly Microsoft Azure, AWS, and GCP. As a cloud and DevOps engineer, Hamza has streamlined code delivery processes to Kubernetes clusters, architected scalable cloud solutions, and led automation efforts using tools such as Terraform. Beyond his hands-on roles, Hamza is an esteemed Microsoft Azure and Terraform trainer, guiding professionals in mastering cloud technologies and practices. His achievements are further underscored by a robust collection of certifications from industry leaders, such as Microsoft and AWS.

I wish to express my deep appreciation to my mentors and colleagues for their constant guidance. My utmost gratitude goes to my family for their unwavering belief in my capabilities, and to the visionary teams I’ve collaborated with, who have been a constant source of inspiration.

Dr. Ramazan Atalay is a global cloud security expert. With a B.Sc. in physics from METU and a Ph.D. in physics from Georgia State University, his education underpins his dynamic career in cybersecurity.

Currently at Loblaw Inc., he is a full-time employee and a Microsoft Certified Trainer for top courses on cloud security and cybersecurity. His passion for mentoring extends to his role as a colleague in Loblaw’s cybersecurity, network, and technology risk department.

Dr. Atalay is a leading figure in the cybersecurity domain, with a dedicated commitment to education and knowledge sharing.

Table of Contents

Preface

Part 1: Introduction to IAC and Terraform in AWS

1

Understanding Patterns and Antipatterns of IaC and Terraform

Introducing IaC

Key principles of IaC

Patterns and practices of IaC

Source control and VCS

Modules and versions

Documentation

Testing

Security and compliance

How to handle IaC projects

IaC principles

Version control systems for IaC

Some common use cases of IaC

Challenges and best practices with IaC

How to make decisions about IaC projects

The decision about where to store your code

Summary

2

How Not to Use IaC and Terraform

Terraform architecture and workflow

Architecture

Workflow

To Compare with the Other IaC Tools

Terraform versus CloudFormation

What is AWS CloudFormation?

Comparison and differences between Terraform and CloudFormation

Terraform or CloudFormation – which should I choose?

Summary

3

Building Your First Terraform Project

How to install Terraform

Manual installation

Popular package managers

Verifying the installation

How to install/prepare Terraform for AWS

Prerequisites

AWS CLI installation

Creating an IAM user and credentials for Terraform

Building your first Terraform configuration

Building your first Terraform template

Provisioning and testing your template

Summary

4

Discovering Best Practices for Terraform IaC Projects

How to maintain IaC projects with Terraform

Follow a standard module structure

Adopt a naming convention

Use variables carefully

Expose outputs

Use data sources

Leverage tfvars files

Separate variables and inputs based on their functionality

Limit the use of custom scripts

Include helper scripts in a separate directory

Put static files in a separate directory

Protect stateful resources

Use built-in formatting

Limit the complexity of expressions

Use count for conditional values

Use for_each for iterated resources

Publish modules to a registry

How to execute IaC projects with Terraform

How to secure IaC projects with Terraform

Implementing Terraform in DevOps or cloud teams

Summary

Part 2: Become an Expert in Terraform with AWS

5

Planning and Designing Infrastructure Projects in AWS

Terraform infrastructure project planning basics

The speed benefits

The risk management benefits

Security, reusability, and governance

Team skill sets

The best candidates for automation

The types of applications you’ll be running

The cost of automating too many tasks

The critical nature of the code

The need for software expertise

The impact on agility

Integration with existing infrastructure

Goals and available resources

The long-term plan

Quality control and security

How to design your first Terraform template in AWS

Authentication with AWS

Setting up programmatic access

Create your first AWS infrastructure with Terraform

Understanding AWS Providers

What are AWS Providers and why are they important in Terraform?

How to configure an AWS Provider in your Terraform code

Understanding the different versions of the AWS Provider and their compatibility with Terraform

Best practices for working with AWS Providers in Terraform

Understanding Terraform modules

What is a Terraform module?

Using modules

Local and remote modules

Module best practices

What problems do Terraform modules solve?

How to implement best practices with Terraform AWS modules

Terraform configurations file separation

Follow a standard module structure

Use opinionated modules to do exactly what you need

Leverage official open source modules

Make extensive use of convention over configuration

Make modules flexible with multiple optional inputs

Refer to modules by version

Consider bundling modules together if they serve a common purpose

Consider using variable and naming validation

Use locals correctly

Keep the code in your module logically separated

Separate required and optional variables

Always have an example folder within your module folder

Summary

6

Making Decisions for Terraform Projects with AWS

AWS infrastructure and fundamentals

What is AWS infrastructure?

What are the main AWS product and service categories?

How to make decisions to start a Terraform project in AWS

How to start designing your first AWS infrastructure

AWS Organizations and network fundamentals

AWS resources fundamentals

AWS shared responsibility model

How to select AWS resources

AWS environments, projects, workloads

What is an environment?

How to define environments or projects in AWS

Summary

7

Implementing Terraform in Projects

Terraform basics for developing AWS infrastructure projects

Resources

Providers

State

Modules

Variables

Outputs

Provisioners

Selecting AWS Providers

Selecting AWS public modules for your needs

How to decide on Terraform module selection

How to write custom Terraform AWS modules

Summary

8

Deploying Serverless Projects with Terraform

What are landing zones and why do we need them?

AWS Foundations

How to build landing zones with Terraform in AWS

What is serverless?

What are AWS serverless patterns?

What is AWS Lambda?

What is AWS Fargate?

How to design a serverless infrastructure with Terraform

How to develop a serverless infrastructure

How to deploy a serverless infrastructure using Terraform

Summary

9

Deploying Containers in AWS with Terraform

What are containers?

Containers in AWS

The reasons for using containers

How to containerize applications

AWS containers

How to choose the best containerization platform in AWS

How to utilize Terraform for containers

Deploying containers with Terraform

How to use Terraform for AWS container resources

How to deploy AWS ECR with Terraform

Deploying container images to AWS container platforms with Terraform

Creating an AWS EKS cluster with Terraform

Deploying an application to an AWS EKS cluster with Terraform

Summary

Part 3: How to Structure and Advance Terraform in Enterprises

10

Leveraging Terraform for the Enterprise

What is an enterprise infrastructure project?

What is an AWS enterprise project?

How to define needs and solutions for an AWS enterprise project

Defining success in AWS enterprise projects

How to discuss AWS enterprise projects

How to leverage Terraform in AWS enterprise projects

Some recommendations for AWS enterprise projects

Summary

11

Building Git Workflows for IaC and Terraform Projects

Why do we need a Git workflow?

Implementing a Git workflow

Tools and flows to use with AWS Terraform projects

How to secure a Terraform project

Streamlining AWS Terraform projects

Summary

12

Automating the Deployment of Terraform Projects

What is deployment in Terraform?

What is CI/CD for Terraform?

Why do we need CI/CD tool for Terraform?

What is the best CI/CD for Terraform?

How to build the governance and auditability of provisioning infrastructure

How to provision infrastructure securely

Summary

13

Governing AWS with Terraform

What is infrastructure governance?

The importance of infrastructure governance

Key elements of infrastructure governance

Benefits of infrastructure governance

Why do we need infrastructure governance?

Security and compliance

Cost optimization

Standardization and consistency

Risk management

How to govern infrastructure with Terraform

Resource provisioning with Terraform

Summary

14

Building a Secure Infrastructure with AWS Terraform

What is security in infrastructure?

Threats to infrastructure security

The importance of infrastructure security

Basic principles of infrastructure security

Types of security measures for infrastructure

The role of governance in infrastructure security

How to govern security in AWS

AWS security services and features

AWS security compliance and certifications

AWS security governance frameworks

Monitoring and logging for AWS security

Incident response for AWS security

How to build secure infrastructure in Terraform

Implementing least privilege using IAM policies

Creating secure network architectures

Automating compliance checks

Storing secrets securely

Managing Terraform state

Security and Terraform

The security benefits of using Terraform

Best practices for using Terraform securely

Common security risks with Terraform and how to mitigate them

Security and IaC operations

IaC pipeline security

Securing build and deployment processes

Securely managing secrets in IaC pipelines

Testing and validating infrastructure changes

Best practices for secure IaC operations

Summary

15

Perfecting AWS Infrastructure with Terraform

What does perfect mean in cloud infrastructure?

Meeting stakeholder needs

High availability

Security

Scalability

Efficiency

Continuous improvement

How to design and develop infrastructure for perfection

Defining infrastructure requirements

Establishing a design framework

Implementing best practices

Testing and validating the infrastructure

Continuous integration and continuous deployment (CI/CD)

Continuously improving cloud infrastructure

Monitoring and logging

Alerting and notification

Capacity planning and management

Cost optimization and management

IaC review

Regular security audits and updates

Performance optimization and management

Continuous improvement and iteration

Building SLAs/SLIs/SLOs with SRE principles

What are SLAs, SLIs, and SLOs?

Key principles of SRE

Developing SLAs, SLIs, and SLOs

Measuring and monitoring metrics for SLIs and SLOs

Using Terraform to enforce SLAs, SLIs, and SLOs

Best practices for managing SLAs, SLIs, and SLOs

Continuous improvement of SLAs, SLIs, and SLOs

How to run operations with Terraform

Automating common operational tasks with Terraform

Managing infrastructure changes with Terraform

Monitoring and logging infrastructure with Terraform

Troubleshooting infrastructure issues with Terraform

Scaling and managing infrastructure with Terraform

Summary

Index

Other Books You May Enjoy

Part 1:Introduction to IAC and Terraform in AWS

In this initial section, we establish the essential groundwork for mastering Terraform on AWS. We explore the fundamental concepts of Infrastructure as Code (IaC) and Terraform, including both effective patterns and common pitfalls. You’ll learn how to avoid typical mistakes and build your first Terraform project on AWS with confidence. We’ll also delve into best practices for managing Terraform projects, ensuring you have a solid foundation for efficient and maintainable IaC. By the end of this part, you’ll be well-equipped to start deploying cloud infrastructure on AWS using Terraform.

This part contains the following chapters:

1

Understanding Patterns and Antipatterns of IaC and Terraform

In an ever-evolving digital landscape, the seamless integration of development and operations has become a necessity for organizations seeking to achieve unparalleled efficiency and agility. The opening chapter of this book delves into the fascinating world of Infrastructure as Code (IaC) and Terraform, unraveling the key principles, patterns, and anti-patterns that underpin this transformative approach. With a keen focus on idempotency, immutability, and an array of best practices, this chapter illuminates the path to robust, secure, and compliant infrastructure management. As we embark on this captivating journey, we’ll explore the intricacies of IaC projects, examine the challenges they present, and unearth invaluable strategies to conquer them. By the end of this chapter, you’ll possess a solid foundation to make informed decisions about the life cycle of your infrastructure and harness the true potential of IaC and Terraform.

We’ll cover these main topics in this chapter:

Introducing IaC

IaC refers to the process of managing and provisioning computing infrastructure through machine-readable definition files instead of relying on interactive configuration tools or physical hardware setups.

IaC leverages coding techniques that have been tried and tested in software systems, extending their application to infrastructure. It is one of the key DevOps practices that enable teams to deliver infrastructure and software rapidly and reliably at scale. Having a fast and dependable infrastructure provisioning mechanism is essential for organizations that want to achieve continuous delivery for their applications.

In IaC, a declarative language is typically used to describe the desired state of a system, as well as the steps required to bring it into compliance with that state. The IaC tool then uses these descriptions to construct and manage the necessary steps automatically, transitioning the system from one state to another. As a result, IaC enables organizations to automate processes such as resource installation, configuration, deployment, scaling, updating, and deletion in their IT infrastructures.

Key principles of IaC

There are two key principles of IaC, which we will gain an understanding of in this section.

Idempotency

Idempotency is a characteristic of certain operations in mathematics, programming languages, and computer science. It refers to the property where applying these operations multiple times produces the same result without altering it except for generating identical copies.

In the context of IaC, idempotency means that regardless of the starting state and the number of times the IaC is executed, the end state remains the same. This simplifies the infrastructure provisioning process and minimizes the likelihood of inconsistent outcomes. This property offers several advantages for operations, such as the capability to roll back changes and retry them in case of failure.

One way to achieve idempotency is by using a stateful tool such as Terraform. With Terraform, you can specify the desired end state of the infrastructure, and the tool will handle the process of reaching that state.

Immutability

Configuration change management is an important topic for infrastructure provisioning. For success, we need a powerful change management recording system that records all changes made to the infrastructure, and it includes details about why those changes were made, who was responsible for them, when they were implemented, and so on.

Configuration drift can pose a significant challenge to infrastructure management. It arises when changes are made to the infrastructure without proper documentation, causing different environments to diverge in ways that are difficult to replicate. This problem is particularly prevalent in mutable infrastructures that are active for extended periods.

The consequence of configuration drift can be severe, leading to inconsistent performance and stability and security issues in the infrastructure. Since it is difficult to reproduce the exact conditions that led to the drift, troubleshooting such problems can be time-consuming and error-prone.

Immutable infrastructure is a technique for constructing and managing infrastructure in a dependable, repeatable, and foreseeable manner. This approach offers several advantages over traditional IT environment management methods. Rather than altering the existing infrastructure, immutable infrastructure involves replacing it with a new one. By provisioning fresh infrastructure each time, the approach ensures that the infrastructure remains reproducible and free from configuration drift over time.

Immutable infrastructure also provides scalability when provisioning infrastructure in cloud environments.

Now that we know what IaC is and what its key principles are, let’s look at the patterns of IaC.

Patterns and practices of IaC

Diving into the world of IaC, it is essential to uncover the patterns and practices that form the backbone of efficient and reliable implementations. In this section, we will explore the fundamental building blocks that contribute to the success of IaC, ensuring a comprehensive understanding of its best practices and a solid foundation for your IaC journey.

Source control and VCS

It is crucial to keep all aspects of your infrastructure, including the smallest scripts and pipeline configurations, in source control or version control systems (VCSs). A version control system is a tool that manages and tracks changes to documents, programs, and other collections of information, often used in software development to maintain a history of code changes.

This practice ensures that you have a record of all changes made to your infrastructure, regardless of how minor they may be. It also simplifies the process of tracking ownership and the history of changes to your infrastructure configurations.

Furthermore, it is important to make the infrastructure code accessible to all members of your organization, including those who do not directly work on the IaC code base. This visibility provides a better understanding of how the infrastructure is provisioned and enables quick troubleshooting of any issues that arise. By reviewing the code, users can gain a deeper understanding of how the infrastructure operates, and even contribute to the development of the infrastructure if they choose to do so.

The visibility and understanding of the applications running on your infrastructure are crucial for managing a successful IT infrastructure. By having a good grasp of how the applications function, you can optimize their performance and ensure that they operate efficiently. By keeping the infrastructure code accessible to all, you can ensure that your entire organization can contribute to maintaining and improving the infrastructure, ultimately leading to better outcomes for your business.

Modules and versions

Creating reusable modules in IaC tools helps with maintenance, readability, and ownership. It keeps changes small and independently deployable and reduces the effect radius.

Refactoring IaC is difficult compared to application development, particularly for critical pieces such as DNS records, network configurations, databases, and so on.

In many organizations, team structures and responsibilities are different, so it will make more sense to separate multiple layers of infrastructure and assign governance to the respective teams. In some cases, there might be some more separated layers needed for cross-functional teams managing both infrastructure and application development.

The following diagram illustrates an example of Amazon EKS deployments, featuring multiple modules for each infrastructure layer and their respective governors. It is important to note that the modules and layers depicted in this diagram may differ depending on your specific setup.

Figure 1.1 – EKS deployment workflow

Versioning for modules is quite important to provide support for multiple versions of services that can operate without breaking the existing production resources.

Documentation

IaC minimizes the need for extensive documentation for infrastructure since everything is codified and stated as a declarative manifest. However, some documentation is needed for better infrastructure provisioning so that consumers can understand and improve the current modules and templates.

Documentation can be challenging to manage, much like code. It is critical to provide sufficient documentation to convey the intended message effectively. However, having more documentation does not necessarily equate to better-quality documentation. In fact, outdated documentation can be more detrimental than having no documentation at all.

IaC documentation must live close to the code. Keep it close so that everyone can update the documentation without unnecessary effort and difficult steps. If you can build good governance automation, documentation creation or updates can be easily tracked and enforced.

An effective approach to managing documentation for IaC is to include a README file within the same repository as the code, rather than using an external platform such as Confluence or a wiki. This approach facilitates updating the documentation during the same commit as the code changes, which is particularly useful as a reminder during the pull request process.

It is also ideal to leverage automated tools to generate documentation from the code or use tests as documentation. By doing so, you can ensure that the documentation stays in sync with the code, reducing the likelihood of inconsistencies and outdated information. This approach can also streamline the documentation process, reducing the need for manual documentation efforts and enabling faster iterations.

Testing

Software testing is the process of executing a program or application with the intent of finding errors. Testing can be done at various levels, from unit testing to integration testing to system testing and acceptance testing.

IaC development is not an easy task. There are many different aspects and considerations that need to be taken into account before, during, and after the development process. One of these considerations is how to test your IaC. Let’s provide you with a basic understanding of the various levels of testing that you need to think about when developing your IaC:

Running quick tests as frequently as possible is crucial for obtaining prompt feedback during the development process. This approach is especially effective when performed on your local machine. There are various integrations available that can automate this process and trigger tests automatically when you save a file in your text editor or IDE.

To perform static analysis, you can use specialized tools such as Terraform Validate or TFLint. These tools enable you to identify issues in your code and configurations promptly, reducing the likelihood of errors and inconsistencies in your infrastructure. By incorporating quick testing and static analysis into your development process, you can streamline the testing process and improve the reliability of your infrastructure.

Since many IaC tools, such as Terraform and Ansible, operate on a declarative model, unit testing may not always be necessary. However, in some cases, unit tests can be beneficial, particularly when conditionals or loops are involved.

While unit testing may not always be required for IaC, incorporating it where necessary can help to catch potential issues early on in the development process, improving the overall quality of your infrastructure.

One essential step in ensuring the reliability of your infrastructure is to perform validation testing. This involves provisioning resources in a test environment and verifying whether specific requirements are met. It is crucial to avoid writing tests for things that are already covered by your IaC tool, particularly when working with declarative code.

For example, instead of verifying whether the policies specified in IaC were applied, you should write automated tests to ensure that none of your S3 buckets are public. Similarly, you can test that only specific ports are open across all of your EC2 instances. To perform these tests, you can provision an ephemeral environment that you can later tear down.

Depending on the duration of these tests, you may want to run them after every commit or as nightly builds. By incorporating validation testing into your development process, you can catch potential issues early on, reduce the risk of errors, and ensure the overall reliability of your infrastructure.

An additional approach to testing is to provision an environment, deploy a dummy application, and run quick smoke tests to verify that the application has been deployed correctly. Using a dummy application can be helpful in testing scenarios that your actual application may encounter but are not configured for production.

For example, if your application connects to an externally hosted database, you should attempt to connect to it in your dummy application. By doing so, you can gain confidence that the infrastructure you are provisioning is capable of supporting the applications you intend to run on it.

As these tests can be time-consuming, it is advisable to run them after provisioning a new environment and periodically thereafter. By leveraging this testing approach, you can ensure that your infrastructure is capable of supporting your application’s requirements and minimize the risk of errors or issues arising during deployment.

Security and compliance

The definition of IaC is to provide an abstraction layer between the physical infrastructure and the applications that run on top of it. This is done by separating the hardware from the software and by abstracting out all of the tasks that are required to manage the hardware.

IaC can be used by companies for compliance purposes, such as HIPAA, SOX, PCI DSS, and so on. It can also be used for security purposes, such as preventing unauthorized access to data or preventing hackers from accessing sensitive information.

Let’s look at important details of security and compliance.