title: Introduction to Terraform using OCI author: Vít Kotačka, Ladislav Dobiáš ...
- Login to OCI console
- Prereqisities
- Setup OCI API key
- Today's Goals with Terraform
- Terraform - setup
- Terraform - first test
- Terraform - steps
- Terratest
-
OCI - Oracle Cloud Infrastructure
-
console URL: https://console.eu-frankfurt-1.oraclecloud.com/?tenant=czechedu2020
- user: email
- password: generated, need to be changed on first login
-
authorization:
- every student is in one of
student*
groups - every group
student*
can:- do all in their compartment (same name as the group)
- read all resources
- (these policies would be too open for real production environment)
- every student is in one of
-
quota:
- important:
- virtual machine shapes: 3x 15 VM.Standard2.1 (1 in each AD)
- loadbalancers: 15 in region
- important:
All commands expect Unix or Linux environment. They will probably not work on Windows.
This you should have installed (can be in docker, too):
-
curl
-
git
-
openssl
-
terraform, e.g.:
wget https://releases.hashicorp.com/terraform/0.12.24/terraform_0.12.24_linux_amd64.zip unzip terraform_0.12.24_linux_amd64.zip mv terraform ~/bin
-
go 1.11+ (for terratest)
Optional (recommended - for OCI API key setup,...):
-
python3
sudo yum install python3
-
oci cli - install OCI cli: https://docs.cloud.oracle.com/iaas/Content/API/SDKDocs/cliinstall.htm
sudo pip3 install oci-cli
-
jq (for json parsing)
-
2 possibilities:
-
using OCI cli - generate OCI API key to
~/.oci
:oci setup config
- provide:
- user OCID - get it from UI console
- tenancy OCI (also from UI):
ocid1.tenancy.oc1..aaaaaaaagpl3dtrsgsdrpjmtkffgtywh3gcesjyk4psebzssdlngpyg3luda
- region:
eu-frankfurt-1
- provide:
-
manual way:
-
-
add the key via console UI: your user -> API Keys -> Add Public Key
- paste the contents of
~/.oci/oci_api_key_public.pem
there and press Add
- paste the contents of
-
simple tests using oci cli:
oci iam region list oci compute image list --compartment-id ocid1.tenancy.oc1..aaaaaaaagpl3dtrsgsdrpjmtkffgtywh3gcesjyk4psebzssdlngpyg3luda
-
example of using jq:
oci compute image list --compartment-id ocid1.tenancy.oc1..aaaaaaaagpl3dtrsgsdrpjmtkffgtywh3gcesjyk4psebzssdlngpyg3luda --all \ | jq -r '.data[]|"\(.id) \(."display-name")"'
This would be achieved at the step #6.
Note: there are some "mistakes" included in several steps. Find them and fix them.
This would be achieved at the last step.
-
get sources:
git clone https://github.com/ladaedu/oci-terraform-intro cd oci-terraform-intro/web-server
-
edit variables in env-vars.example that are not commented out, copy it first:
cp env-vars.example env-vars
- use data from
~/.oci/config
- use data from
-
source it:
. env-vars
-
list current
*.tf
files:ls *.tf
- output (recommened to look inside the files):
network.tf variables.tf
- output (recommened to look inside the files):
-
init terraform (download providers, modules,...):
alias tf=terraform tf init
-
plan
tf plan
-
apply
tf apply
- VCN, gateways
- Datasources - ADs, Tenancy
- Bastion - network: routing table, seclist, subnet
- Bastion VM
- Private Subnet for Web servers - network: routing table, seclist, subnet
- Web server
- Outputs - IP addresses
- Load balancer + add some web servers
-
rename next steps TF file, e.g.
*.tf1
to*.tf
:orig=$(echo *1);link=${orig%?};echo ln -s $orig $link
-
for other steps, replace
1
with next numbers -
plan
tf plan
-
apply
tf apply
-
check what was created in UI console
-
to add more web server nodes, increase variable WebVMCount for 1 to e.g. 4 in file variables.tf
-
to add more bastion server nodes, increase variable BastionVMCount for 1 to e.g. 2 in file variables.tf
-
to test loadbalancer:
-
from CLI:
lb_address=$(tf output -json|jq -r .lb_ip.value[0]) echo $lb_address curl http://$lb_address # check that round-robin works: for i in $(seq 10);do curl -s http://$lb_address done | grep name
-
-
or get LB IP address from console UI (Networking/Load Balancers), and test it in browser - and reloads.
In terraform_oci_test.go, there are 4 small tests:
- ssh to bastion
- ssh to webserver (via bastion)
- check that webserver nginx port 80 is open using netstat
- check that webserver nginx returns status 200
Terratest will create its own environment, so destroy your environment first, to avoid problems with quota.
-
destroy the deployment:
tf destroy
-
run terratest:
cd terratest go test -v -run TestTerraform
Questions?
-
generate graph - using Graphviz:
tf graph
-
generate graph with colors:
./tf-graph.sh
Graph of dependencies of resources, variables, outputs:
For creating initial groups, policies, compartments, users, a custom module compartment-group-policy
was created, which reuses
standard OCI Terraform IAM modules - in terraform-oci-iam
directory.
To run these TF script, you must be an administrator (and source correct env-vars file). Steps:
-
create compartments, groups, policies:
cd admin/groups tf plan tf apply
-
create users - define correct variables first, then run terraform:
cd admin/users cat <<EOF > variables-users.tf variable "student1_name" { default = "first1.last1@email.cz" } variable "student2_name" { default = "first2.last2@email.cz" } EOF tf plan tf apply
- then "Create/Reset Password" must be done from console UI for each user
- Terraform:
- download: https://www.terraform.io/downloads.html
- OCI provider docs: https://www.terraform.io/docs/providers/oci/
- OCI provider sources and examples: https://github.com/terraform-providers/terraform-provider-oci
- OCI: