rights reserved. S U M M I T TER301: Terraforming AWS safely and collaboratively with Atlantis Steve Teo Director of Cloud Security Engineering Horangi Cyber Security www.linkedin.com/in/steveteo D e v e l o p e r L o u n g e
rights reserved. S U M M I T Steve ”Potay” Teo • CloudDevSecOps Fanatic • Currently building products at • Progression => UI/UX Designer / Developer => Full Stack Developer => Build & Release Engineer => Infrastructure & Tools Architect • AWS Areas of Interests: AWS Multi-Account Strategy, Cloud Security • Totally uncertified and proud :P
rights reserved. S U M M I T What this talk is about • Quick Introduction to Terraform • Challenges around Terraform State Management and Collaboration • How Atlantis solves these challenges safely and collaboratively • Demo What this talk is not about • Every other advanced Terraform topic • Terraform vs CloudFormation • Every Little Atlantis Feature! RTFM
rights reserved. S U M M I T Providers • Multi-Provider Orchestration • Abstracts APIs as resources • Context for resources aws_instance aws_ec2_transit_gateway aws_db_instance
rights reserved. S U M M I T State file is Sacred! • Real world mapping of resources • Track metadata of resource and its dependency with respect to other resources • State is exposed - Protect your state file at all cost! • Teams collaborate via state files
rights reserved. S U M M I T Local Terraform Usage Pros • Simple Issues • No backup of state files • Not even possible to collaborate in a team setting • Different developers have different Terraform environments • Doesn’t integrate into a CI/CD workflow
rights reserved. S U M M I T Local Terraform Usage Pros • Simple Issues • No backup of state files • Not even possible to collaborate in a team setting • Different developers have different Terraform environments • Doesn’t integrate into a CI/CD workflow
rights reserved. S U M M I T Remote Backend Terraform Usage Cons • No backup of state files • Not even really possible to collaborate in a team setting • Different developers have different Terraform environments • Doesn’t integrate into a CI/CD workflow our
rights reserved. S U M M I T Atlantis • Started in HootSuite by Anubhav Mishra and currently maintained by Luke Kysow • Battle-tested at HootSuite with 100 developers working on 600 Terraform Repositories • Self-hosted • Open-source, supported by Hashicorp • Well written docs • Active maintainer
rights reserved. S U M M I T Centralizes Terraform Plans and Applies • Issue: Pull requests can become really noisy through multiple plan iterations • Solution: Iterate locally against a Sandbox account or against read only state in s3 bucket
rights reserved. S U M M I T Gotchas I Found - Approval / mergability checks doesn’t really work in solo based scenarios in a team based setting - Works in a very plan / apply centric model. No out of the box support for other terraform state manipulation commands, or even destroy. All this needs to be handled - Security models for working within Atlantis workflows are still being worked out, eg. https://github.com/runatlantis/atlantis/issues/308. Definitely evaluate this very carefully if you are using this for production system within a low-trust team model
rights reserved. S U M M I T References • www.speakerdeck.com/anubhavmishra/taming-terraform-workflow- using-terraform-modules-and-github-1?slide=67 • www.speakerdeck.com/anubhavmishra/taming-infrastructure- workflow-at-scale-with-terraform • www.medium.com/runatlantis/introducing-atlantis-6570d6de7281 • www.medium.com/runatlantis/putting-the-dev-into-devops-why- your-developers-should-write-terraform-too-d3c079dfc6a8 • https://medium.com/runatlantis/moving-atlantis-to-runatlantis- atlantis-on-github-4efc025bb05f
Amazon Web Services, Inc. or its affiliates. All rights reserved. Steve Teo Director of Cloud Security Engineering Horangi Cyber Security www.linkedin.com/in/steveteo