Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
In this module you will learn how to leverage tools like Terraform, the OCI Command Line
Interface (CLI), Chef, and the OCI Software Development Kit (SDK) to automate common
tasks. We will discuss the concept of Infrastructure as Code and how Terraform can be
used to provision a complete set of OCI resources.
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 1-2
Module 3: Goals and Objectives
• Describe key features and functionality of Terraform, CLI, Chef, and the OCI SDK
• Describe the core components of Terraform: providers, resources, and variables
• Compare and contrast Terraform against other, agentless provisioning tools
• Use the CLI to create, discover, and terminate resources
• Use Terraform with the OCI provider to provision a VCN and Compute resource
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 1-3
Hands-on Labs
1. Getting started with the OCI Command Line Interface (30 minutes)
2. Getting started with Terraform (60 minutes)
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 1-4
Automation Concepts and Tools
Infrastructure as Code
• Ad-hoc scripts such as PowerShell or Bash (OCI Command Line Interface)
• Configuration Management Tools (Chef, Puppet, Ansible)
• Server templating tools (Packer, Vagrant, Docker)
• Infrastructure Automation Tools (Terraform, Heat, CloudFormation)
Infrastructure Lifecycle
• Provision
• Update
• Destroy
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 1-5
OCI Software Development Kits (SDK)
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 1-6
OCI Software Development Kits (SDK) - continued
object_storage_client = oci.object_storage.ObjectStorageClient(config={},
signer=signer)
print(object_storage_client.get_namespace().data)
print(object_storage_client.list_buckets(namespace_name=object_storage_client
.get_namespace().data, compartment_id=compartment_id).data)
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 1-7
Overview of the CLI
The CLI is an essential tool for managing your OCI resources. It provides much of the same
functionality found in the console, and extended functionality through the use of scripts.
Key Features
• Built with the Python SDK
• Compatible with Python 2.7.5+ or 3.5+
• Compatible with Mac, Windows, and Linux
• Direct OCI API interaction
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 1-8
CLI Command Construct
The OCI CLI is a unified tool that allows interaction with most service through a single
command. After entering the program command specify the service, the action, and any
additional switches.
$ oci compute instance list --region us-phoenix-1 --availability-domain gKOA:PHX-AD-1 --limit 2 --sort-by TIMECREATED
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 1-9
Installing the CLI
The CLI can either be installed using a script, or it can be done manually. In this module, we
are going to focus on the automated method because, well, AUTOMATION!
Windows
1. Run PowerShell as administrator
> Set-ExecutionPolicy RemoteSigned
Linux
1. From the terminal prompt, run:
$ bash -c "$(curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh)"
Before using the CLI, you must provide IAM credentials with appropriate access. The
credentials provided will be separated into profiles and stored in ~/.oci/config
$ cat ~/.oci/config
[DEFAULT]
user=ocid1.user.oc1..aaaaaaaaja3b5st7wd5lkj245jlk235lk23sdf9sdfdhwlndbm6mf7pznq
fingerprint=8b:cc:27:61:dd:92:22:45:c1:24:f1:3d:84:5f:ee:b4
key_file=/home/opc/.oci/oci_api_key.pem
tenancy=ocid1.tenancy.oc1..aaaaaaaaxy6bh46cdnlfpwerljwelrkjwer23cxtfxhhva2hna
region=us-phoenix-1
compartment-id=ocid1.compartment.oc1..aaaaaaaa3xly5up5a3kyqwekhrqwq46krhqwrwzrmysspva
Profiles allow you to specific multiple sets of credentials within your config file. Once
defined, you may reference the appropriate profile at runtime.
[DEFAULT]
…
…
[dev_compartment]
user=ocid1.user.oc1..aaaaaaaaja3b5st7wd5lkj245jlk235lk23sdf9sdfdhwlndbm6mf7pznq
fingerprint=8b:cc:27:61:dd:92:22:45:c1:24:f1:3d:84:5f:ee:b4
key_file=/home/opc/.oci/oci_api_key.pem
tenancy=ocid1.tenancy.oc1..aaaaaaaaxy6bh46cdnlfpwerljwelrkjwer23cxtfxhhva2hna
region=us-phoenix-1
compartment-id=ocid1.compartment.oc1..aaaaaaaa8asdf6lkj7wer5lh3aer0asdv9j
Working with the CLI can allow for streamlined operations through automation. The
following features can make reduce the effort of command execution and simplify the
resulting command output.
$ oci compute image list --query "data [*].{ImageName:\"display-name\", OCID:id}" --output table
The following is an example of a simple BASH script. In the script we launch a new
instance, wait for it to respond to an SSH request, then test the sample website.
#!/bin/bash
instance_id=$(oci compute instance launch --from-json file://compute_template.json \
--query “data.id” | sed –e ‘s/^”//’ –e s/”$//’
pub_ip=$(oci compute instance list-vnics --instance-id $instance_id --query \
“data [*].\”public-ip\”” | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}’)
Chef is one of the industry’s leading configuration management tools. Used for deploying
and managing host and application configuration, it can also be used to provision OCI
resources. Additionally, Chef integrates with Terraform as a provisioner allowing customers
to combine tools to achieve maximum benefit.
We will talk about Terraform provisioners in the next section.
In this section, we will focus on how Chef can be utilized to automate the provisioning or
resources and management of application configuration.
To learn more about getting the most out of Chef, visit their education site:
https://learn.chef.io/
For those already using Chef, these terms should sound familiar. Lets run through a quick
review.
Cookbook A cookbook is the fundamental unit of configuration and policy distribution. It defines a
scenario and contains everything that is required to support that scenario.
Recipe A recipe is akin to a configuration element. It should define everything that is required to
configure a part of the system.
Template A template is used to generate static files. It leverages Embedded Ruby (ERB) to allow
for dynamic content. At runtime, variables may be replaced by values relevant to the
application or the environment.
Attribute An attribute is a specific detail about a node. It might be data retrieved from the
operating system by Ohai*, or a specific value defined by the user.
Data bag A data bag is a global variable stored as JSON and is accessible from the Chef server.
Data bags can be encrypted making them a great choice for the management and
distribution of secrets.
Recipe Template
service 'nginx’ do geo $<%= @remote_ip_var %> $authorized_ip {
supports :status => true, :restart => true, :reload => true default no;
End <% @authorized_ips.each do |ip| %>
<%= "#{ip} yes;" %>
template 'authorized_ip’ do <% end %>
path "#{node['nginx']['dir']}/authorized_ip“ }
source 'modules/authorized_ip.erb’
owner 'root’
group 'root’
mode '0755’
variables( Attributes
:remote_ip_var => node['nginx']['remote_ip_var’], node.default['nginx']['remote_ip_var’] = 'remote_addr’
:authorized_ips => node['nginx']['authorized_ips'] ) node.default['nginx']['authorized_ips’] = ['127.0.0.1/32’]
notifies :reload, 'service[nginx]', :immediately node.default['nginx’][‘conf_dir’] = [‘/opt/nginx/conf’]
end
• Chef DK, or Development Kit includes a collection of tools that you use to interact with
the Chef Server. Knife is the command line tool that we will focus on in this course.
• The Chef Server acts as a Hub for your configuration data. It also manages interaction
with the Chef agent that is installed on client servers.
• Clients / Nodes run the chef client and interact with the Chef Server to retrieve
configuration data periodically.
Chef can be used to configure and manage resources in your Oracle Cloud Infrastructure,
similar to how you may already be using it on-premesis. However, the knife utility can be
extended by the OCI plugin. This will enable you to interact with the OCI API’s directly from
the knife tool.
Install
$ chef gem install knife-oci or $ gem install knife-oci
Configure
Utilizes ~/.oci/config that is required by the OCI Command Line Interface
Requires additional entries into the knife.rb file
knife[:oci_config_file] = ‘~/.oci/alternate_config_file’ #optional
knife[:oci_profile] = ‘NOT_DEFAULT_PROFILE’ #optional
knife[:compartment_id] = ‘ocid1.compartment.oc1..aaaaaaaaaadfjl6xfziasefl38afel3alwifea’
Steps
1. Provision a compute resource and assign the appropriate public key
2. Use the knife command to connect remotely and apply the desired configuration
$ knife bootstrap 129.146.22.221 --ssh-user opc --sudo --identity-file ~/.ssh/id_rsa
--node-name chef-client-1 --run-list ‘recipe[learn_chef_httpd]’
3. Wait for the configuration to be applied. This will also install the chef agent on the server
and henceforth it will check in regularly with the Chef server
Provision
• Vagrant: Create and configure portal development environments
• Packer: Create platform-specific machine images from a single source
• Terraform: Create, combine, and manage infrastructure across multiple providers
Secure
• Vault: Centrally store, secure, and control access to distributed secrets.
Run
• Nomad – Cluster manager and scheduler to deploy across any infrastructure
• Consul – Distributed, highly-available tool for service discover, configuration, and
orchestration
HCL can reference creation details of other entities in the template, and can also consume
OS-level environment variables, making it adaptable to your needs.
Outputs:
After installing Terraform, you will need to set up the OCI Provider.
Providers abstract the APIs from the given third party in order to create infrastructure.
Example:
provider "oci" {
tenancy_ocid = "${var.tenancy_ocid}"
user_ocid = "${var.user_ocid}"
fingerprint = "${var.fingerprint}"
private_key_path = "${var.private_key_path}"
region = "${var.region}"
}
The OCI provider enables Terraform to create, manage, and destroy resources in your
tenancy.
Once a provider is configured, you may begin using that provider’s resources. With the OCI
provider, you may create resources such as compute instances, databases, block and object
storage, and networks.
$ terraform apply
$ terraform destroy
In these examples we saw some variables, like compartment_id, image, shape_id. Ideally variables defined
in a "variables.tf" where defaults can be supplied.
Variables that have no default value set will cause terraform to prompt for the variable during a plan or apply.
Default variables can be overridden by the environment, command line, tfvars file, or inline.
A .tfvars file can also be used to set variables and their values
instance_type="VM.Standard1.2"
Terraform can be directed to display the variables that are generated dynamically as pat of the process of
creating the infrastructure.
For example, after a run we might want to see the public ip of the host:
$ cat outputs.tf
output "InstancePrivateIP" { value = ["${data.oci_core_vnic.InstanceVnic.private_ip_address}"]}
output "InstancePublicIP" { value = ["${data.oci_core_vnic.InstanceVnic.public_ip_address}"]}
Outputs are often used to facilitate interaction with other infrastructure tools. Terraform show (human
readable) and terraform.tfstate file also store these outputs.
Terraform can also integrate with provisioners like Chef, puppet, Ansible, shells scripts. An example below
is using a provisioner to remote-exec a command to touch a file.
$ cat remote-exec.tf
resource "null_resource" "remote-exec" {
depends_on = ["oci_core_instance.TFInstance"]
provisioner "remote-exec" {
connection {
agent = false
timeout = "10m"
host = "${data.oci_core_vnic.InstanceVnic.public_ip_address}"
user = "opc"
private_key = "${var.ssh_private_key}"
}
inline = [
"touch ~/IMadeAFile.Right.Here",
]
}
}
Terraform builds dependency graphs for planning state management and more.
$ terraform graph | dot –Tpng > tgraph1.png
Pros
• Vault, Consult, Nomad, Packer, Atlas all weave into the Terraform story
• Good for starting simple and evolving to more complex architecture
• Encourages the use of immutable infrastructure.
• Frequent releases, good project vitality, commercial support available
• Tool designed only for provisioning infrastructure - tries to keep clutter out of the concept
Cons
• Importing existing infrastructure challenging
• Configuration and server management tools are still needed. If those tools can serve the
infrastructure provisioning needs, then terraform may be extraneous in some cases.
• Not all application architectures support the concept of immutability
Manage Existing
Difficult No Yes
Deployments
Agent/Master No / No No / No No / No
1. Getting started with the OCI Command Line Interface (30 minutes)
2. Getting started with Terraform (60 minutes)