Ansible-Terraform Workspace. Part 1
development environment with Ansible, Terraform, and lots of other applications in one docker image.
Ansible-Terraform workspace contains browser-based Visual Studio Code and multiple tools which make working with Ansible and Terraform more convenient.
Create infrastructures with Terraform, and configure it with Ansible. This workspace will help to code and develop; visualize infrastructures and planned terraform changes; display ansible hosts plays; schedule and observe executions and more!
There are several reasons to use this workspace.
- Convenience. Get started fast, without wasting time on setting all those tools yourself. Getting Ansible and Terraform ready to be used, is as simple as starting a docker container. In addition, you get the ability to start and stop multiple workspaces, this makes managing separate independent cloud infrastructures much easier and safe, for example, you don’t need to switch AWS profiles all the time. Also, you can export the entire workspace to file, push to a (private) Docker registry, and keep different versions of the workspace.
- Deploy the workspace on a cloud server. Schedule ansible playbooks with Cronicle and observe ansible executions with Ara dashboard. Deployment of this workspace on a cloud server is very handy when you need security, and most of your infra is running in a private network. The latter makes it impossible to use a local machine as an executor for Ansible playbooks unless you set up a complex VPN. This workspace can be launched on a bridge server that is in both private and public networks, and you can use browser-based tools to develop and execute Ansible or Terraform code. Here it is explained how to launch Ansible-Terraform Workspace on a cloud server with HTTPS and authentication.
- Reduce the risk of conflicting executions. Despite there are ways to prevent conflicting executions of Ansible playbooks or applying Terraform code (i.e. remote Terraform state), this Workspace makes it even easier, when it is deployed on the remote cloud server, and used by multiple users.
In addition to what’s already mentioned, Ansible-Terraform Workspace has the benefits of any other dockerized workspace:
- Avoid the tedious process of setting dev environment on your laptop
- Work conveniently with multiple IT projects on the same laptop
- Move all your work to another machine easily
- Start working right away in the workspace prepared for the task
- Run dev environment in cloud and work from any device, be independent on any cloud service or cloud provider
- Back-up entire workspaces with important work, save versions of the workspaces before changes
- Collaborate by sharing the entire workspace or run it in the cloud
- Move from dev to POC/MVP in a minute
- Make experiments (try new packages, versions, frameworks) without risking affecting existing environment
- With a single command start, stop and resume job schedules, related to the same project
- Create a custom dev environment for your team, and help new-comers to save time on setting up their environments
- Move dev environment back and forth between powerful Windows PC and macOS laptop in minutes
Read in detail about the advantages of the dockerized workspace and the situations when workspace is a good choice
Run Workspace
Workspaces — are merely docker containers, that’s why managing workspaces is easy and intuitive — it is enough to know only docker commands, no need to learn any new tools. To start a workspace simply execute in terminal
docker run — name space-1 -d -p 8020–8035:8020–8035 -p 9000:9000 alnoda/ansible-terraform-workspace(It is recommended to run workspace in the daemon mode)
Workspace has its own UI, which includes Quicklaunch (home) page and documentation pages. From the Quicklaunch you can open any workspace tool. Documentation pages you modify in order to document the project, workspace use, and setup.
The workspace was started with a port range mapping -p 8020–8035. This is because the workspace contains a set of applications with browser-based UI. Ansible-Terraform workspace has UI from where you can open any of these applications. Open localhost:8020, and from there open other applications included in the workspace.
The rest of the ports from the port range can be used in order to expose optional applications, or applications you might install in future. So we map several extra ports just inn case.
Ansible-Terraform workspace has the following applications installed, but not started by default
Terraform Rover provides great visualization for your terraform infrastructure. To visualize any (initialized) Terraform project execute
rover --workingDir <TERRAFORM_PROJECT_FOLDER>For example, rover --workingDir /home/examples/terraform-scaleway/
NOTE: Terraform Rover only runs on the internal port 9000, that’s why when running Ansible-Terraform workspace it is necessary to map this port explicitly.
Terraform Blast-Radius — a tool for reasoning about Terraform dependency graphs with interactive visualizations.
Start Blast-Radius on any of the free port in the mapped range:
cd /home/examples/terraform-scaleway && terraform init && blast-radius --serve --port 8030
If you are planning to expose more applications from inside of a container, add an additional port mapping, for example
Of course, you can add even more port mappings to your workspace, for example:
docker run --name space-1 -d -p 8020-8035:8020-8035 -p 9000:9000 -p 8080:8080 -p 443:443 alnoda/ansible-terraform-workspaceNOTE: It is not a problem if you don’t expose any ports from the first run. You can expose the required ports by creating a new image.
Multiple workspaces
Typically you would run one workspace at a time, but there might be cases when launching more than one workspace might be needed. Every workspace needs a range of ports. If one workspace is up and running, and uses the default port range, then ports 8020–8035 are taken.
Ansible-terraform workspace itself uses 10 ports (8020–8029), but it is recommended to map several extra ports for the applications you will launch when working in the workspace, for example, Blast Radius or Rover. Having extra ports, you can always launch new applications on these ports, and they will be immediately exposed outside of the workspace.
In order to start another workspace we need to provide a different port range, for example
docker run --name space-2 -d -p 8040-8055:8020-8035 -e ENTRY_PORT=8040 alnoda/ansible-terraform-workspaceNotice that in addition, we set the environmental variable ENTRY_PORT, which should be equal to the first port in the new range. Environmental variable ENTRY_PORT tells workspace that non-default port range is used, for Workspace UI to open applications on proper ports in the browser.
Workspace terminal
Terminnal — is one of the main developer tools. There are several ways how to work with terminal of the the ansible-terraform workspace:
- built-it in-browser terminal
- use terminal provided by in-browser IDE http://localhost:8025 (unless other ports are mapped)
- ssh into the running the docker container (of the workspace) from your terminal
(Browser-based terminals always work under the user you started the workspace with, the default is non root user “abc”)
If you want to enter running workspace container from your terminal execute:
docker exec -it space-1 /bin/zshIf you don’t want to use z-shell
docker exec -it space-1 /bin/bashThis way allows to ssh into the workspace as a root user at any time, even if the workspace itself was not starter as root user (the default user is abc)
docker exec -it --user=root space-1 /bin/zshYou can work in the Ubuntu terminal now. Execute the following command to know your workspace user: whoami
Docker in docker
It is possible to work with docker directly from the workspace (using workspace terminal).
docker run --name space-1 -d -p 8020-8035:8020-8035 -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock alnoda/ansible-terraform-workspaceNOTE: in order to use docker in docker you need to or enter into the workspace container as root
docker exec -it --user=root space-1 /bin/zshRun on a remote server
Because workspace is just a docker image, running it in any other server is as easy as running it on local laptop.
Running on remote server makes it much simpler to collaborate, because you can just share credentials to the workspace with your peers, and they will be able to use it. You can also run applications that should run permanently, and run jobs on schedule.
Unsecure remote workspace
The simplest deployment of the workspace requires only 3 steps:
- get virtual server on your favourite cloud (Digital Ocean, Linode, AWS, GC, Azure …)
- install docker on this server
- ssh to the remote server and start workspace
docker run --name space-1 -d -p 8020-8035:8020-8035 -p 9000:9000 -e WRK_HOST="<ip-of-your-remote-server>" alnoda/ansible-terraform-workspaceNOTE: When running workspace on the remote server, add envronmental variable -e WRK_HOST="<ip-of-your-remote-server>". Workspace UI needs this variable to know how redirect properly to the workspace applications' UIs.
Open in your browser <ip-of-your-remote-server>:8020
If docker-in-docker is required, then
docker run --name space-1 -d -p 8020-8035:8020-8035 -p 9000:9000 -e WRK_HOST="<ip-of-your-remote-server>" -v /var/run/docker.sock:/var/run/docker.sock alnoda/ansible-terraform-workspaceThis way launches workspace in cloud, but such workspace would not be secure, everyone who knows IP of your server will be able to use it. You should use this method only if you launch workspace in the secure internal network or inside a VPN.
Secure remote workspace
You might want to restrict access to the cloud workspace, and secure encrypted communication with it
There are many situations when running Ansible-Terraform workspace in the public network over Internet is required. This can be done by running the Workspace behind the reverse proxy over secure encrypted HTTPS protocol with authentication. Here is the example of a docker-compose file that launches Ansible-Terrafom workspace behind the proxy with middlewares that enable HTTPS and auth (TLS certificates are not included in the example). For some engineers it might be an easy task to make such a thing, but for many who do not have experience in this area, this would be a daunting task that can easily consume several days of your life. That’s why Ansible-Terraform workspace comes with a nice little tool, that generates a docker-compose project (including certificates and passwords) to easily, securely and without hassle launch workspace on any cloud server
Ansible-terraform-workspace contains a utility that will generate everything needed to launch the workspace in the cloud in a secure way, with authentication, and with TLS.
If you would like to run workspace on the remote server securely, launch ansible-terraform workspace on your local laptop first, open its terminal, and use utility /home/abc/utils/remote.py to generate create a docker-compose project with TLS certificates. Simply execute
python /home/abc/utils/remote.py --workspace="ansible-terraform-workspace" --port="<ENTRY_PORT>" --host="<IP_OF_CLOUD_SERVER_WITH_PUBLIC_ACCESS>" --user="<ANY_USER_NAME>" --password="<ANY_USER_PASSWORD>"
for example:
python /home/abc/utils/remote.py --workspace="ansible-terraform-workspace" --port="8020" --host="68.183.69.198" --user="user1" --password="pass1"
NOTE: you have to specify the correct host (IP of the server you want to run the workspace on), and the user and password of your choice.
After the command is executed, you will see a folder /home/abc/utils/remote is created. Download it out from the workspace to the local environment using the Filebrowser:
Copy this folder to the remote server where you want to launch the Ansible-Terraform workspace. You can use Cyberduck or SCP. ssh to the server, cd to the directory you copied, and execute
docker-compose up -dThat’s it, your workspace is running securely on the remote server, using self-signed TLS certificates for encrypted HTTPS communication between your laptop and the remote workspace, and authentication is added.
