Terraform Notes PPT 25th August 2024 - KPLABS
Terraform Notes PPT 25th August 2024 - KPLABS
Terraform Notes PPT 25th August 2024 - KPLABS
PPT Version
PPT Release Date = 25th August 2024
Please check regularly that you are using the latest version.
The Latest Version Details are mentioned in the PPT Lecture in Section 1.
Understanding the Need
My personal journey started with implementing “AWS Hardening” guidelines.
There were 100+ pages of guidelines, and it used to take 2-3 days to implement
in 1 account.
AWS Account 1
Deploy
HCL Configuration
Hardening Rule 1
AWS Account 2
Terraform
Hardening Rule 2
Hardening Rule 3
Once you learn Terraform Core concepts, you can write code to create and
manage infrastructure across all the providers.
Terraform
Overview of Terraform Certification
Terraform has become of the most popular and widely used tools to create and
manage infrastructure and one of the defacto IAC tools for DevOps.
Something about me :-
kplabs.in/chat
Be Awesome
kplabs.in/linkedin
About the Course
Understanding the Basics
This is a certification specific course and we cover all the pointers that are part
of the official exam blueprint.
Point to Note
The arrangement of topics in this course is a little different from the exam
blueprint to ensure this course remains beginner friendly and topics are covered
in a step by step manner.
Course Resource - GitHub
All the code that we use during practicals have been added to our GitHub page.
Course Resource - PPT Slides
ALL the slides that we use in this course is available to download as PDF.
The PDF is attached as part of the lecture titled “Central PPT Notes”.
Our Community (Optional)
We also have a Discord community that allows all the individuals who are
preparing for the same certification to connect with each other for discussions as
well as technical support.
https://kplabs.in/chat
Important Note - Platform for This Course
Terraform supports hundreds of of platforms like AWS, Azure, GCP etc.
We use very basic AWS services like Virtual Machine, AWS users to
demonstrate and Learn the Core Terraform concepts.
We have hundreds of users from different platform like Azure who have
completed this course and are actively implementing Terraform for different
platforms..
Infrastructure as Code (IAC)
Understanding the Basics
There are two ways in which you can create and manage your infrastructure:
● Manually approach.
● Through Automation
Work Requirement: Database Backup
I was assigned a task to take database backup every day at 10 PM and the
backup had to be stored in Amazon S3 Storage with appropriate timestamp.
● db-backup-01-01-2024.sql
● db-backup-02-01-2024.sql
Initiate Backup
Upload Backup
Amazon S3 Database
Learning from this Work Requirement
If a particular task has to be done in an repeatable manner, it MUST be
automated.
Points to Note:
1. Depending on the type of task, the tools for automation will change.
2. There are wide variety of Tools & Technologies used for Automation like
Ansible, CloudFormation, Terraform, Python etc.
Example of a Single Service
Set of resources (Virtual Machine, Database, S3, AWS Users) must be created
with exact similar configuration in Dev, Stage and Production environment.
IAC Tool
● Version Control.
● Terraform
● CloudFormation
● Heat
● Ansible
● SaltStack
● Chef, Puppet and others
Categories of Tools
The tools are widely divided into two major categories
Infrastructure As Code
Example: ALL servers should have Antivirus installed with version 10.0.2
Installing AV
Ansible
Server Fleet
Infrastructure Orchestration
Infrastructure Orchestration is primarily used to create and manage
infrastructure environments.
Example: Create 3 Servers with 4 GB RAM, 2 vCPUs. Each server should have
firewall rule to allow SSH connection from Office IPs.
Terraform
Infrastructure Fleet
IAC & Configuration Management = Friends
Deploy Server
Terraform
Completed
first_server.tf
Terraform EC2 Running
New E2
AWS
Ansible
How to choose IAC Tool?
i) Is your infrastructure going to be vendor specific in longer term ? Example AWS.
ii) Are you planning to have multi-cloud / hybrid cloud based infrastructure ?
2. Official support is required in-case if team face any issue related to IAC tool or
code itself.
3. They want some kind of GUI interface that supports automatic code
generation.
Use-Case 2 - Requirement of Organization 2
Download
terraform
knowledge portal
Supported Platforms
● Windows
● macOS
● Linux
● FreeBSD
● OpenBSD
● Solaris
knowledge portal
Terraform Installation - Mac & Linux
There are two primary steps required to install terraform in Mac and Linux
knowledge portal
Choosing IDE For Terraform
Terraform in detail
Terraform Code in NotePad!
You can write Terraform code in Notepad and it will not have any impact.
Downsides:
● Slower Development
● Limited Features
knowledge portal
Need of a Better Software
There is a need of a better application that allows us to develop code faster.
knowledge portal
What are the Options!
There are many popular source code editors available in the market.
knowledge portal
Editor for This Course
We are going to make use of Visual Studio Code as primary editor in this course.
Advantages:
1. Supports Windows, Mac, Linux
2. Supports Wide variety of programming languages.
3. Many Extensions.
knowledge portal
knowledge portal
Visual Studio Code Extensions
Understanding the Basics
Extensions are add-ons that allow you to customize and enhance your
experience in Visual Studio by adding new features or integrating existing tools
knowledge portal
Registering an AWS Account
knowledge portal
Authentication and Authorization
Understanding the Basics
Before we start working on managing environments through Terraform, the first
important step is related to Authentication and Authorization.
Example:
Terraform
Done
username password
Bob pwd928#
Access Credentials
Depending on the provider, the type of access credentials would change.
GitHub Tokens
In-short, it's a name for a virtual server that you launch in AWS.
VM EC2 Instance
Available Regions
Cloud providers offers multiple regions in which we can create our resource.
You need to decide the region in which Terraform would create the resource.
Virtual Machine Configuration
A Virtual Machine would have it’s own set of configurations.
● CPU
● Memory
● Storage
● Operating System
When we run terraform init, plugins required for the provider are automatically
downloaded and saved locally to a .terraform directory.
Learning 2 - Resource
Resource block describes one or more infrastructure objects
Example:
● resource aws_instance
● resource aws_alb
● resource iam_user
● resource digitalocean_droplet
Learning 3 - Resource Blocks
A resource block declares a resource of a given type ("aws_instance") with a
given local name ("myec2").
Resource type and Name together serve as an identifier for a given resource
and so must be unique.
If you learn the basics, you should be able to work with all providers easily.
Issues and Bugs with Providers
A provider that is maintained by HashiCorp does not mean it has no bugs.
It can happen that there are inconsistencies from your output and things
mentioned in documentation. You can raise issue at Provider page.
Relax and Have a Meme Before Proceeding
knowledge portal
Provider Tiers
Provider Maintainers
There are 3 primary type of provider tiers in Terraform.
Tier Description
Official hashicorp
HashiCorp Maintained
Non-HashiCorp Maintained
Terraform Destroy
Learning to Destroy Resources
If you keep the infrastructure running, you will get charged for it.
Hence it is important for us to also know on how we can delete the infrastructure
resources created via terraform.
Terraform
Approach 1 - Destroy ALL
terraform destroy allows us to destroy all the resource that are created within the
folder.
terraform destroy
Terraform
Approach 2 - Destroy Some
terraform destroy with -target flag allows us to destroy specific resource.
Terraform
Terraform Destroy with Target
The -target option can be used to focus Terraform's attention on only a subset of
resources.
aws_instance myec2
github_repository example
Desired & Current State
Terraform in detail
Desired State
Terraform's primary function is to create, modify, and destroy infrastructure resources to
match the desired state described in a Terraform configuration
EC2 - t2.micro
knowledge portal
Current State
Current state is the actual state of a resource that is currently deployed.
t2.medium
knowledge portal
Important Pointer
Terraform tries to ensure that the deployed infrastructure is based on the desired state.
If there is a difference between the two, terraform plan presents a description of the
changes necessary to achieve the desired state.
knowledge portal
Provider Versioning
Terraform in detail
Provider Architecture
Infrastructure
Provisioning
(API interactions)
Digital Ocean
knowledge portal
Overview of Provider Versioning
Provider plugins are released separately from Terraform itself.
Version 1
Version 2
knowledge portal
Explicitly Setting Provider Version
During terraform init, if version argument is not specified, the most recent provider will be
downloaded during initialization.
For production use, you should constrain the acceptable provider versions via configuration, to
ensure that new versions with breaking changes will not be automatically installed.
Arguments for Specifying provider
There are multiple ways for specifying the version of a provider.
knowledge portal
Dependency Lock File
Terraform dependency lock file allows us to lock to a specific version of the provider.
If a particular provider already has a selection recorded in the lock file, Terraform will always
re-select that version for installation, even if a newer version has become available.
You can override that behavior by adding the -upgrade option when you run terraform init,
Terraform Refresh
Understanding the Challenge
Terraform can create an infrastructure based on configuration you specified.
t2.micro
EC2:
type: t2.micro
State File storage: 20
sg: default
Understanding the Challenge
The terraform refresh command will check the latest state of your infrastructure
and update the state file accordingly.
terraform refresh
Scan real infra
t2.large
EC2:
type: t2.large
State File storage: 20
sg: default
Points to Note
The -refresh-only option for terraform plan and terraform apply was introduced in
Terraform v0.15.4.
AWS Provider - Authentication Configuration
Understanding the Basics
At this stage, we have been manually hardcoding the access / secret keys within
the provider block.
Although a working solution, but it is not optimal from security point of view.
Better Way
We want our code to run successfully without hardcoding the secrets in the
provider block.
Better Approach
The AWS Provider can source credentials and other settings from the shared
configuration and credentials files.
Default Configurations
If shared files lines are not added to provider block, by default, Terraform will
locate these files at $HOME/.aws/config and $HOME/.aws/credentials on Linux
and macOS.
When you configure Access/Secret keys in AWS CLI, the location in which these
credentials are stored is the same default location that Terraform searches the
credentials from.
We tend to use a different folder for each practical that we do in the course.
This allows us to be more systematic and allows easier revisit in-case required.
knowledge portal
Find the appropriate code from GitHub
Code in GitHub is arranged according to sections that are matched to the domains in the course.
Every section in GitHub has easy Readme file for quick navigation.
knowledge portal
Destroy Resource After Practical
terraform destroy
After you have completed your practical, make sure you destroy the resource before moving to
the next practical.
This is easier if you are maintaining separate folder for each practical.
knowledge portal
Relax and Have a Meme Before Proceeding
knowledge portal
Learning Scope - AWS Services for Terraform Course
Understanding the Basics
AWS has more than 200 services available.
Aim of the Course
Primary aim of this course is to master the core concepts of Terraform.
Some are AWS Pros, Some are from Azure/GCP, Some are students
To align everyone on same page, we also cover basics of the AWS service that
we use throughout the course.
Example - Creating Firewall Through Terraform
Opening 22 SSH
Opening 80 HTTPD
Internet Users
1.2.3.4
Basics of Firewall
Firewall is a network security system that monitors and controls incoming and
outgoing network traffic based on predetermined security rules.
Connect to 22 SSH
Firewall
HTTPD
Deny connect to 22
Allow connect to 80
Firewall in AWS
A security group acts as a virtual firewall for your instance to control inbound and
outbound traffic.
EC2
User from Internet
Deny connect to 22
Allow connect to 80
Sample Security Group with Rules
Inbound and Outbound Rules
Firewalls control both inbound and outbound connections to and from the server.
EC2
Inbound Outbound
terraform-firewall
Inbound Outbound
Just because a better approach is recommended, does NOT always mean that
the older approach will stop working.
Organizations can continue to use the approach that suits best in it’s
environment.
Switching to Older Provider Doc
You can always switch to the older version of provider documentation page to
understand the changes.
Closing Pointers
For larger enterprises, it becomes difficult to upgrade their code base to the
newer approach that provider recommends.
In such case, they stick with the appropriate provider version that supports the
older approach of creating the resource.
Create Elastic IP with Terraform
Basics of Elastic IP in AWS
An Elastic IP address is a static IPv4 address in AWS.
52.30.40.50
52.30.40.50
Aim of Today’s Video
Attributes are the fields in a resource that hold the values that end up in state.
Attributes Values
ID i-abcd
public_ip 52.74.32.50
private_ip 172.31.10.50
private_dns ip-172-31-10-50-.ec2.internal
Points to Note
Each resource type has a predefined set of attributes determined by the
provider.
Cross-Resource Attribute References
Typical Challenge
It can happen that in a single terraform file, you are defining two different
resources.
Elastic IP
Elastic IP
Attribute Value
public_ip 52.72.52.72
Cross Referencing Resource Attribute
Terraform allows us to reference the attribute of one resource to be used in a
different resource.
Overall syntax:
<RESOURCE TYPE>.<NAME>.<ATTRIBUTE>
Cross Referencing Resource Attribute
We can specify the resource address with attribute for cross-referencing.
Elastic IP
Attribute Value
public_ip 52.72.52.72
String Interpolation in Terraform
${...}): This syntax indicates that Terraform will replace the expression inside the
curly braces with its calculated value.
Joke Time
Terraform
Create a Elastic IP (Public IP) resource in AWS and output the value of the EIP.
Point to Note
Output values defined in Project A can be referenced from code in Project B as
well.
Fetch
Output Values
Ip = 54.146.20.28
TF Code
Project B
Project A
Terraform Variables
Understanding the Challenge
Repeated static values in the code can create more work in the future.
Firewall Rule 1
Firewall Rule 2
Better Approach
A better solution would be to define repeated static value in one central place.
Key Value
vpn_ip 101.0.62.210/32
Central Location
Basics of Variables
Terraform input variables are used to pass certain values from outside of the
configuration
Name Value
vpn_ip 101.0.62.210/32
app_port 8080
Variable File
Benefits of Variables
1. Update important values in one central place instead of searching and
replacing them throughout your code, saving time and potential mistakes.
2. No need to touch the core Terraform configuration file. This can avoid
human mistakes while editing.
Variable Definitions File (TFVars)
Understanding the Base
Dev
tfvars file
If file name is different like prod.tfvars → You have to explicitly define the file
during plan / apply operation.
Approach to Variable Assignment
Understanding the Base
By default, whenever you define a variable, you must also set a value
associated with it.
1. Variable Defaults.
3. Environment Variables
1. Environment variables
2. The terraform.tfvars file, if present.
3. The terraform.tfvars.json file, if present.
Depending on the requirement, you can use wide variety of values in Terraform
configuration.
7575 Number
Restricting Variable Value to Data Type
We can restrict the value of a variable to a data type.
Example:
set a collection of unique values that do not have any secondary identifiers or
ordering.
map a group of values identified by named labels, like {name = "Mabel", age =
52}.
Requirement:
Pool of Servers
Introducing Count Argument
The count argument accepts a whole number, and creates that many instances
of the resource.
Pool of Servers
Challenges with Count
The instances created through count and identical copies, but you might want to
customize certain properties for each one.
Example - IAM User
For many resources, exact identical copies are not required and will not work.
Example: You cannot have multiple AWS Users with exact same name.
COUNT.INDEX
Introducing Count Index
When using count, you can also make use of count.index which allows better
flexibility.
This attribute holds a distinct index number, starting from 0, that uniquely
identifies each instance created by the count meta-argument.
0 1 2
Tabular Representation
Following representation shows each EC2 instance’s resource address that
contains the index.
0 1 2
CLI Output
Within CLI output, you will be able to see the index value of resource.
dev
Variable
Conditional Expression
ENV = Production
production
Logic Result
If condition is true then the result is true_val. If condition is false then the result is
false_val.
Conditional Expression Based on Use-Case
If Environment is Development, t2.micro instance type should be used.
Input Output
Function
10,30,20 30
max ()
Function 1 - MAX
max () takes one or more numbers and returns the greatest number.
Function 2 - FILE
file () reads the contents of a file at the given path and returns them as a string.
Introducing Terraform Console
Terraform Console provides an interactive environment specifically designed to
test functions and experiment with expressions before integrating them into your
main code.
Importance of File Function
file reads the contents of a file at the given path and returns them as a string.
After
Before
Functions in Terraform
Terraform has wide variety of functions available to achieve different set of
use-cases.
The Terraform language does not support user-defined functions, and so only
the functions built in to the language are available for use
The documentation includes a page for all of the available built-in functions.
Challenge - Analyzing Code Containing Functions
Setting the Base
As part of this challenge, you will be given a code that contains multiple sets of
Terraform Functions.
You have to analyze what this code does without running the “apply” operation.
Overall Workflow
1. Analyze what exactly the given code in GitHub will do without running the
“apply operation”.
terraform console
2 - Analyzing Length Function
length determines the length of a given list, map, or string.
Testing Length Function
Code: count = length(var.tags)
3 - Analyzing Element Function
element retrieves a single element from a list.
3. EC2 will have a tag of creation date with the timestamp value
You are Awesome
Learning “Terraform Function” is a longer learning journey compared to other
topics.
Repeating these values across multiple resource blocks increases the code
length and makes it difficult to manage in larger projects.
Solution using Variables
One solution is to centralize these common values using Variables
Variable
Introducing Local Values
Local Values are similar to Variables in a sense that it allows you to store data
centrally and that can be referenced in multiple parts of configuration.
Locals
Additional Benefit of Locals
You can add expressions to locals, which allows you to compute values
dynamically
Locals vs Variables
Variable value can be defined in wide variety of places like terraform.tfvars, ENV
Variables, CLI and so on.
Locals are more of a private resource. You have to directly modify the code.
Locals are used when you want to avoid repeating the same expression multiple
times.
Important Points to Note
Local values are created by a locals block (plural), but you reference them as
attributes on an object named local (singular)
Data Sources
Introducing Data Sources
Data sources allow Terraform to use / fetch information defined outside of
Terraform
Pass On
the Details
Internally
Resource Block
Terraform Code
Example 1 - Reading Info of DO Account
Following data source code is used to get information on your DigitalOcean
account.
Example 2 - Reading a File
Following data source allows you to read contents of a file in your local filesystem.
Clarity regarding path.module
${path.module} returns the current file system path where your code is located.
Example 3 - Fetch EC2 Instance Details
Following data source code is used to fetch details about the EC2 instance in
your AWS region.
Data Sources Documentation Reference
Finding Available Data Sources
List of available data source are associated with each resource of a provider.
Data Sources Format
Understanding the Basic Structure
A data source is accessed via a special kind of resource known as a data
resource, declared using a data block:
Following data block requests that Terraform read from a given data source
("aws_instance") and export the result under the given local name ("foo").
Filter Structure
Within the block body (between { and }) are query constraints defined by the
data source.
Fetching Latest OS Image Using Data Sources
Understanding the Requirement
You have been given a requirement to write a Terraform code that creates EC2
instance using latest OS Image of Amazon Linux.
Approach that New User will Take
We want to use the latest OS image for creating server in AWS.
1. Go to EC2 Console.
Fetch me latest OS
Image of Ubuntu
Terraform
ami-1234
Introducing Data Sources
Data sources allow Terraform to use information defined outside of Terraform
and we can use that information to provision resources.
Pass the
AMI ID to
resource
block
EC2 Resource
Terraform Code
Debugging Terraform
Basics of Debugging
Debugging is the process of finding the root cause of a specific issue.
Depending on the application, the approach to get detailed logs will differ.
Debugging in Terraform
Similar to SSH Verbosity, even Terraform allows us to set wide variety of log
levels for getting detailed logs for debugging purpose.
Understanding the Basics
Terraform has detailed logs that you can enable by setting the TF_LOG
environment variable to any value.
You can set TF_LOG to one of the log levels (in order of decreasing verbosity)
Log Level
TRACE
DEBUG
INFO
WARN
ERROR
Storing the Logs to File
To persist logged output you can set TF_LOG_PATH in order to force the log to
always be appended to a specific file when logging is enabled
Terraform Troubleshooting Model
Terraform Troubleshooting Model
There are four potential types of issues that you could experience with Terraform
When Terraform encounters a syntax error in your configuration, it prints out the
line numbers and an explanation of the error.
2 - State Errors
If state is out of sync, Terraform may destroy or change your existing resources.
If state is locked, you will also be blocked from running write operations.
3 - Core errors
These errors are directly related to the main Terraform application.
Use the Provider GitHub page for reporting and identifying the issue.
Reporting Terraform Bugs
Reporting Bugs
You can report bugs in the Terraform Core GitHub page or appropriate provider
page.
1 - Navigate to Issues
First, navigate to the Terraform GitHub repository and choose "Issues" from the
top tabs.
2 - Choose "New Issue".
3 - Click “Get Started”
4 - Fill Core Terraform Template
Terraform Format
Terraform in detail
Importance of Readability
Anyone who is into programming knows the importance of formatting the code for readability.
The terraform fmt command is used to rewrite Terraform configuration files to take care of the
overall formatting.
knowledge portal
Before fmt
After fmt
knowledge portal
Terraform Validate
Terraform in detail
Overview of Terraform Validate
It can check various aspects including unsupported arguments, undeclared variables and others.
knowledge portal
Load Order & Semantics
Terraform in detail
Understanding Semantics
Terraform generally loads all the configuration files within the directory specified in
alphabetical order.
The files loaded must end in either .tf or .tf.json to specify the format that is in use.
terraform-kplabs
knowledge portal
Dynamic Block
Terraform In Depth
Understanding the Challenge
In many of the use-cases, there are repeatable nested blocks that needs to be defined.
This can lead to a long code and it can be difficult to manage in a longer time.
knowledge portal
Dynamic Blocks
Dynamic Block allows us to dynamically construct repeatable nested blocks which is supported
inside resource, data, provider, and provisioner blocks:
knowledge portal
Iterators
The iterator argument (optional) sets the name of a temporary variable that represents the
current element of the complex value
If omitted, the name of the variable defaults to the label of the dynamic block ("ingress" in the
example above).
knowledge portal
Terraform Taint
Understanding the Use-Case
You have created a new resource via Terraform.
Users have made a lot of manual changes (both infrastructure and inside the
server)
Two ways to deal with this: Import Changes to Terraform / Delete & Recreate
the resource
Destroy
Create
Points to Note
Similar kind of functionality was achieved using terraform taint command in older
versions of Terraform.
For Terraform v0.15.2 and later, HashiCorp recommend using the -replace
option with terraform apply
Splat Expression
Terraform Expressions
Overview of Spalat Expression
Splat Expression allows us to get a list of all the attributes.
knowledge portal
Terraform Graph
Understanding the Base Structure
Terraform graph refers to a visual representation of the dependency
relationships between resources defined in your Terraform configuration.
Summary and Conclusion
Terraform graphs are a valuable tool for visualizing and understanding the
relationships between resources in your infrastructure defined with Terraform.
This ensures the infrastructure state remains exactly as shown in the plan to
ensure consistency.
Exploring Terraform Plan File
The saved Terraform plan file will be a binary file.
You can use the terraform show command to read the contents in detail.
Use-Cases of Saving Plan to a File
The terraform output command is used to extract the value of an output variable from the state
file.
knowledge portal
Terraform Settings
Setting the Base
We can use the provider block to define various aspects of the provider, like
region, credentials and so on.
Specific Version to Run Your Code
In a Terraform project, your code might require a very specific set of versions to
run.
You can further fine-tune to include a specific version of the provider plugins.
Flexibility in Settings Block
There are a wide variety of options that can be specified in the Terraform block.
BackEnd Configuration
Experimental Features
Point to Note
The provider { } block is still important to specify various other aspects like
regions, credentials, alias and others.
Dealing with Larger Infrastructure
Terraform in detail
Challenges with Larger Infrastructure
When you have a larger infrastructure, you will face issue related to API limits for a provider.
terraform plan
3 RDS
100 SG Rules
VPC Infra
infra.tf
Dealing With Larger Infrastructure
terraform plan
5 EC2 ec2.tf
5 EC2
terraform plan
3 RDS rds.tf
3 RDS
VPC Infra
VPC Infra vpc.tf
infra.tf
Slow Down, My Man
We can prevent terraform from querying the current state during operations like terraform plan.
The zipmap function constructs a map from a list of keys and a corresponding list of
values.
pineapple yellow
pineapple=yellow
orange orange
orange=orange
strawberry red zipmap
strawberry=red
knowledge portal
Sample Output of Zipmap Function
knowledge portal
Simple Use-Case
You are creating multiple IAM users.
You need output which contains direct mapping of IAM names and ARNs
knowledge portal
Comments in Terraform Code
Commenting the Code!
Overview of Comments
A comment is a text note added to source code to provide explanatory information,
usually about the function of the code
knowledge portal
Comments in Terraform
The Terraform language supports three different syntaxes for comments:
Type Description
/* and */ are start and end delimiters for a comment that might span over multiple lines.
knowledge portal
Resource Behavior and Meta-Argument
Understanding the Basics
A resource block declares that you want a particular infrastructure object to exist
with the given settings
How Terraform Applies a Configuration
Create resources that exist in the configuration but are not associated with a real
infrastructure object in the state.
Destroy resources that exist in the state but no longer exist in the configuration.
Destroy and re-create resources whose arguments have changed but which
cannot be updated in-place due to remote API limitations.
Understanding the Limitations
What happens if we want to change the default behavior?
Name HelloWorld
Env Production
Solution - Using Meta Arguments
Terraform allows us to include meta-argument within the resource block which
allows some details of this standard resource behavior to be customized on a
per-resource basis.
count Accepts a whole number, and creates that many instances of the resource
for_each Accepts a map or a set of strings, and creates an instance for each item in that
map or set.
Arguments Description
create_before_destroy New replacement object is created first, and the prior object is destroyed
after the replacement is created.
prevent_destroy Terraform to reject with an error any plan that would destroy the
infrastructure object associated with the resource
ignore_changes Ignore certain changes to the live resource that does not match the
configuration.
replace_triggered_by Replaces the resource when any of the referenced items change
Replace Triggered By
Replaces the resource when any of the referenced items change.
Create Before Destroy Argument
Understanding the Default Behavior
By default, when Terraform must change a resource argument that cannot be
updated in-place due to remote API limitations, Terraform will instead destroy the
existing object and then create a new replacement object with the new
configured arguments.
Destroy First
Changed AMI
Create Second
Create Before Destroy Argument
The create_before_destroy meta-argument changes this behavior so that the
new replacement object is created first, and the prior object is destroyed after
the replacement is created.
Destroy Second
Changed AMI
Create First
Join us in our Adventure
kplabs.in/chat
Be Awesome
kplabs.in/linkedin
LifeCycle - Prevent Destroy Argument
Prevent Destroy Argument
This meta-argument, when set to true, will cause Terraform to reject with an
error any plan that would destroy the infrastructure object associated with the
resource, as long as the argument remains present in the configuration.
Points to Note
This can be used as a measure of safety against the accidental replacement of
objects that may be costly to reproduce, such as database instances.
Since this argument must be present in configuration for the protection to apply,
note that this setting does not prevent the remote object from being destroyed if
the resource block were removed from configuration entirely.
LifeCycle - Ignore Changes Argument
Ignore Changes
In cases where settings of a remote object is modified by processes outside of
Terraform, the Terraform would attempt to "fix" on the next run.
In order to change this behavior and ignore the manually applied change, we
can make use of ignore_changes argument under lifecycle.
Points to Note
Instead of a list, the special keyword all may be used to instruct Terraform to
ignore all attributes, which means that Terraform can create and destroy the
remote object but will never propose updates to it.
Challenges with Count
Meta-Argument
Revising the Basics
Resource are identified by the index value from the list.
aws_iam_user.iam[0] user-01
aws_iam_user.iam[1] user-02
aws_iam_user.iam[2] user-03
knowledge portal
Challenge - 1
If the order of elements of index is changed, this can impact all of the other resources.
aws_iam_user.iam.[0] user-01
aws_iam_user.iam.[1] user-02
aws_iam_user.iam.[2] user-03
knowledge portal
Important Note
knowledge portal
Data Type - SET
Let’s Revise Programming
Basics of List
knowledge portal
Understanding SET
Allowed
Not-Allowed
knowledge portal
toset Function
knowledge portal
for_each
Meta-Argument
Basics of For Each
aws_iam_user.iam[user-01] user-01
aws_iam_user.iam[user-02] user-02
aws_iam_user.iam[user-03] user-03
knowledge portal
Replication Count Challenge
aws_iam_user.iam[user-01] user-01
aws_iam_user.iam[user-02] user-02
aws_iam_user.iam[user-03] user-03
aws_iam_user.iam[user-0] user-0
knowledge portal
The each object
each.key The map key (or set member) corresponding to this instance.
knowledge portal
Relax and Have a Meme Before Proceeding
knowledge portal
Terraform Provisioners
Setting the Base
We have been using Terraform to create and manage resources for a specific
provider.
Launch VM
Terraform
Now what?
Introducing Provisioners
Provisioners are used to execute scripts on a local or remote machine as part of
resource creation or destruction.
Launch VM
Terraform
Install Software
Types of Provisioners in Terraform
Setting the Base
Provisioners are used to execute scripts on a local or remote machine as part
of resource creation or destruction.
Provisioners
local-exec remote-exec
Type 1 - local-exec provisioner
The local-exec provisioner invokes a local executable after a resource is
created.
Example: After EC2 is launched, fetch the IP and store it in file server_ip.txt
server_ip.txt 1
2
Launch Server
Terraform
Store IP
Type 2 - remote-exec provisioner
remote-exec provisioners allow to invoke scripts or run commands directly on
the remote server.
Launch VM
Terraform
Install Software
Today’s Demo
For today’s demo, the Terraform code will run two provisioners.
server_ip.txt 1
Terraform
Store IP
Format of Provisioners
1 - Defining Provisioners
For local provisioners, we have to specify command that needs to be run locally
4 - Remote Exec Provisioner Approach
Since commands are executed on remote-server, we have to provide way for
Terraform to connect to remote server.
Creation-time provisioners are only run during creation, not during updating or
any other lifecycle.
Launch VM
Terraform
Install Software
Destroy-Time Provisioner
Destroy provisioners are run before the resource is destroyed.
Example:
Define destroy-time
provisioner
Tainting Resource in Creation-Time Provisioners
If a creation-time provisioner fails, the resource is marked as tainted.
A tainted resource will be planned for destruction and recreation upon the next
terraform apply.
Install Software
Provisioner
This will lead to resource being tainted and we have to re-create the resource.
Basics of On Failure Setting
The on_failure setting can be used to change the default behaviour.
fail Raise an error and stop applying (the default behavior). If this is a
creation provisioner, taint the resource.
Reference Code - On-Failure
Following screenshot shows a reference code where on_failure is set to
continue.
Reference Screenshot - Failed Provisioner
Following screenshot shows that the provisioner has failed but still the apply has
completed successfully.
kplabs.in/chat
Be Awesome
kplabs.in/linkedin
Terraform Modules
Understanding the Basic
In software engineering, don't repeat yourself (DRY) is a principle of software
development aimed at reducing repetition of software patterns.
Understanding the Challenge
Let’s assume there are 10 teams in your organization using Terraform to create
and manage EC2 instances.
Team 3 Team 5
Team1
2. Change in AWS Provider specific option will require change in EC2 code
blocks of all the teams.
3. Lack of standardization.
4. Difficult to manage.
Team 1 Code
Team 2 Code
Team 3 Code
Team 1 Code
Team 2 Code
Team 3 Code
Team 1 Code
Team 2 Code
EC2 Module
Team 3 Code
Infrastructure Created
Team 4 Code
VPC Module
Points to Note - Referencing Terraform Modules
Understanding the Base
For some infrastructure resources, you can directly use the module calling code,
and the entire infrastructure will be created for you.
terraform apply
Avoiding Confusion
Just by referencing any module, it is not always the case that the infrastructure
resource will be created for you directly.
Some modules require specific inputs and values from the user side to be filled
in before a resource gets created.
Example Module - AWS EKS
If you try to use an AWS EKS Module directly and run “terraform apply”, it will
throw an error.
terraform apply
Module Structure Can be Different
Some module pages in GitHub can contain multiple sets of modules together for
different features.
Avoid directly trying any random Terraform module that is not actively maintained
and looks shady (primarily by sole individual contributors)
An attacker can include malicious code in a module that sends information about
your environment to the attacker.
Which Modules do Organizations Use?
They might initially fork a module from the Terraform registry and modify it based
on their use case.
Creating Base Module Structure
Understanding the Base Structure
A base “modules” folder.
EC2 IAM
VPC SG
modules folder
What is Inside the Sub-Folders
Each module’s sub-folder contains the actual module Terraform code that other
projects can reference from.
EC2
modules folder
main.tf
Calling the Module
Each Team can call various set of modules that are available in the modules
folder based on their requirements.
Team 1 Code
EC2 IAM
Team 2 Code
VPC SG
Team 3 Code
Teams sub-folder will contain list of teams that we want to be made available.
EC2 A
SG B
modules folder
Teams folder
Module Sources - Calling a Module
Understanding the Base
Module source code can be present in wide variety of locations.
These includes:
1. GitHub
2. HTTP URLs
3. S3 Buckets
4. Terraform Registry
5. Local paths
Base - Calling the Module
In order to reference to a module, you need to make use of module block
The module block must contain source argument that contains location to the
referenced module.
Example 1 - Local Paths
Local paths are used to reference to module that is available in local filesystem.
A local path must begin with either ./ or ../ to indicate that a local path
Example 2 - Generic Git Repository
Arbitrary Git repositories can be used by prefixing the address with the special
git:: prefix.
Module Version
A specific module can have multiple versions.
You can reference to specific version of module with the version block
Improvements in Custom Module Code
Our Simple Module
We had created a very simple module that allows developers to launch an EC2
instance when calling the module.
Need to Analyze Shortcomings
Being a simplistic and a basic module code, there is a good room of
improvements.
If developer is calling the module, he will have to stick with same values.
Developer will not be able to override the hardcoded values of the module.
Hard-Coded Values
Challenge 2 - Provider Improvements
Avoid hard-coding region in the Module code as much as possible.
Root Module
Child Module
A module that has been called by another module is often referred to as a child
module.
At this stage, we have been keeping the overall module structure very simple to
understand the concepts.
In this scenario, a team of Terraform producers, who write Terraform code from
scratch, will build a collection of modules to provision the infrastructure and
applications.
The members of the team in charge of the application will consume these
modules to provision the infrastructure they need.
Final Module Output
After reviewing the consumer team's requirements, the producer team has
broken up the application infrastructure into the following modules:
knowledge portal
Requirements for Publishing Module
Requirement Description
GitHub The module must be on GitHub and must be a public repo. This is only a
requirement for the public registry.
Repository The GitHub repository description is used to populate the short description of
description the module.
Standard module The module must adhere to the standard module structure.
structure
x.y.z tags for releases The registry uses tags to identify module versions. Release tag names must
be a semantic version, which can optionally be prefixed with a v. For
example, v1.0.4 and 0.9.2
knowledge portal
Standard Module Structure
The standard module structure is a file and directory layout that is recommend for
reusable modules distributed in separate repositories
knowledge portal
Terraform Workspace
Setting the Base
An infrastructure created through Terraform is tied to the underlying Terraform
configuration and a state file.
EC2 Instance
terraform.tfstate
What If?
What if we have multiple state file for single Terraform configuration?
Environment 1
Development
dev.tfstate
Development ENV
Production
prod.tfstate
Production ENV
Workspace
Flexibility with Workspace
Depending on the workspace being used, the value to a specific argument in
your Terraform code can also change.
Development
dev.tfstate
Production
Environment instance_type prod.tfstate
Development t2.micro
Terraform Code
………
………
knowledge portal
Centralized Management
Central Repository
Terraform Code
Terraform Code
………
………
………
………
knowledge portal
Relax and Have a Meme Before Proceeding
knowledge portal
Terraform & GitIgnore
Terraform in detail
Overview of gitignore
The .gitignore file is a text file that tells Git which files or folders to ignore in a project.
.gitignore
conf/
*.artifacts
credentials
knowledge portal
Terraform and .gitignore
crash.log If terraform crashes, the logs are stored to a file named crash.log
knowledge portal
Terraform Backend
Terraform in detail
Basics of Backends
Backends primarily determine where Terraform stores its state.
By default, Terraform implicitly uses a backend called local to store state as a local file on disk.
demo.tf
terraform.tfstate
knowledge portal
Challenge with Local Backend
Nowadays Terraform project is handled and collaborated by an entire team.
Storing the state file in the local laptop will not allow collaboration.
knowledge portal
Ideal Architecture
Following describes one of the recommended architectures:
terraform.tfstate
Project Collaborators
Central Backend
knowledge portal
Backends Supported in Terraform
Terraform supports multiple backends that allows remote service related operations.
● S3
● Consul
● Azurerm
● Kubernetes
● HTTP
● ETCD
knowledge portal
Important Note
Accessing state in a remote service generally requires some kind of access credentials
Some backends act like plain "remote disks" for state files; others support locking the state while
operations are being performed, which helps prevent conflicts and inconsistencies.
knowledge portal
State Locking
Let’s Lock the State
Understanding State Lock
Whenever you are performing write operation, terraform would lock the state file.
This is very important as otherwise during your ongoing terraform apply operations, if others
also try for the same, it can corrupt your state file.
knowledge portal
Basic Working
terraform apply
User 1
State File
knowledge portal
Important Note
State locking happens automatically on all operations that could write state. You won't see any
message that it is happening
Not all backends support locking. The documentation for each backend includes details on
whether it supports locking or not.
knowledge portal
Force Unlocking State
Terraform has a force-unlock command to manually unlock the state if unlocking failed.
If you unlock the state when someone else is holding the lock it could cause multiple writers.
Force unlock should only be used to unlock your own lock in the situation where automatic
unlocking failed.
knowledge portal
State Locking in S3 Backend
Back to Providers
State Locking in S3
By default, S3 does not support State Locking functionality.
You need to make use of DynamoDB table to achieve state locking functionality.
terraform.tfstate S3 Bucket
knowledge portal
Terraform State Management
Setting the Base
As your Terraform usage becomes more advanced, there are some cases where
you may need to modify the Terraform state.
Sub-Commands Description
pull Manually download and output the state from remote state.
Use this when you need to remove a resource from Terraform’s state
management without destroying it.
Sub-Command 5 - mv
The terraform state mv command is used to move an item in the state to a
different address.
Sub-Command 6 - replace-provider
The terraform state replace-provider command is used to replace the provider
for resources in a Terraform state.
Remote State Data Source
Setting up the Base
In larger enterprises, there can be multiple different teams working on different
aspects of a infrastructure resource
Output Values
Remote State
52.30.20.5
Public IPs
52.50.20.5
Networking Team
Firewall Rules
Security Team
Understanding the Challenge
Security Team wants that all the IP addresses added as part of Output Values in
tfstate file of Networking Team project should be whitelisted in Firewall.
Output Values
Remote State
52.30.20.5
Public IPs
52.50.20.5
Networking Team
Firewall Rules
Fetch Output Values and Whitelist
Security Team
What Needs to be Achieved
1. The code from Security Team project should connect to the terraform.tfstate
file managed by the Networking team.
2. The code should fetch all the IP addresses mentioned in the output values
in the state file.
2. Create Elastic IP resource in Networking Team and Store the State file in S3
bucket. Output values should have information of EIP.
3. In Security Team, use Terraform Remote State data source to connect to the
tfstate file of Networking Team.
4. Use the Remote State to fetch EIP and whitelist it in Security Group rule.
Introducing Remote State Data Source
The terraform_remote_state data source allows us to fetch output values from a
specific state backend
Organization now wants to start using Terraform and manage these resources
via Terraform.
Manually Created
Earlier Approach
In the older approach, Terraform import would create the state file associated
with the resources running in your environment.
s3.tf
terraform import
terraform.tfstate create manually
ec2.tf
Manually Created
Newer Approach
In the newer approach, terraform import can automatically create the terraform
configuration files for the resources you want to import.
resources.tf
Terraform Import
terraform.tfstate
Manually Created
Point to Note
This dramatically reduces the amount of time you need to spend writing code to
match the imported
Singapore Region
Mumbai Region
Setting the Base
At this stage, we have been dealing with single provider configuration.
Secrets can include, database passwords, AWS access/secret keys, API Tokens, encryption keys
and others.
Dynamic Secrets
knowledge portal
Life Becomes Easier
Once Vault is integrated with multiple backends, your life will become much easier and you can
focus more on the right work.
knowledge portal
Vault Provider
Back to Providers
Vault Provider
The Vault provider allows Terraform to read from, write to, and configure HashiCorp
Vault.
Inject in Terraform
admin
password123
db_creds
Vault
knowledge portal
Important Note
Interacting with Vault from Terraform causes any secrets that you read and write to be
persisted in both Terraform's state file.
knowledge portal
Terraform Cloud
Terraform in detail
Overview of Terraform Cloud
Terraform Cloud manages Terraform runs in a consistent and reliable environment with various
features like access controls, private registry for sharing modules, policy controls and others.
knowledge portal
Sentinel
Terraform Cloud In Detail
Overview of the Sentinel
Sentinel is a policy-as-code framework integrated with the HashiCorp Enterprise products.
It enables fine-grained, logic-based policy decisions, and can be extended to use information
from external sources.
knowledge portal
High Level Structure
knowledge portal
Terraform Backend
Terraform in detail
Basics of Backends
Backends primarily determine where Terraform stores its state.
By default, Terraform implicitly uses a backend called local to store state as a local file on disk.
demo.tf
terraform.tfstate
knowledge portal
Challenge with Local Backend
Nowadays Terraform project is handled and collaborated by an entire team.
Storing the state file in the local laptop will not allow collaboration.
knowledge portal
Ideal Architecture
Following describes one of the recommended architectures:
terraform.tfstate
Project Collaborators
Central Backend
knowledge portal
Backends Supported in Terraform
Terraform supports multiple backends that allows remote service related operations.
● S3
● Consul
● Azurerm
● Kubernetes
● HTTP
● ETCD
knowledge portal
Important Note
Accessing state in a remote service generally requires some kind of access credentials
Some backends act like plain "remote disks" for state files; others support locking the state while
operations are being performed, which helps prevent conflicts and inconsistencies.
knowledge portal
Air Gapped Environments
Installation Methods
Understanding Concept of Air Gap
An air gap is a network security measure employed to ensure that a secure computer network
is physically isolated from unsecured networks, such as the public Internet.
knowledge portal
Usage of Air Gapped Systems
Air Gapped Environments are used in various areas. Some of these include:
knowledge portal
Terraform Enterprise Installation Methods
Terraform Enterprise installs using either an online or air gapped method and as the
names infer, one requires internet connectivity, the other does not
Isolated Server
Terraform Enterprise
knowledge portal
knowledge portal
knowledge portal
Relax and Have a Meme Before Proceeding
knowledge portal
Terraform Challenges
Key Observations
At this stage, we have been learning core concepts of Terraform step by step.
Whenever learning a new technology, small set of practical projects are always
useful to grasp the practical aspects of a technology.
Introducing Terraform Challenges
With Terraform Challenges, we aim to reduce the gap between learning and
gaining practical experience.
Terraform Master
About the Challenges
Each Challenge will test you in different areas of Terraform that will help you gain
some kind of hands-on experience.
Troubleshoot Secure
Optimize Analyze
Awesome Students
Terraform
Workflow Steps
We will have multiple sets of challenges.
After each challenge video, we will have a Solution Hints video and then the
Practical Solution video.
The code was written a few years back based on the old Terraform version.
What you need to do?
1. Create Infrastructure using the provided code (without modifications).
2. Verify if the code works in the latest version of Terraform and Provider .
3. Modify and Fix the code so that it works with latest version of Terraform.
Instead, use the new required_provider block to define provider and constraints.
Hint 4 - Terraform Core Version Requirement
Since the challenge states that latest version of Terraform should be used, you
can plan to remove the required_version block from the code.
Hint 5 - Code Upgrade
Does the resource block of “aws_eip” work with the latest version of Terraform?
It can happen that latest AWS provider requires some changes in the aws_eip
resource block. Incorporate these changes to ensure EIP gets created.
Join us in our Adventure
kplabs.in/chat
Be Awesome
kplabs.in/linkedin
Terraform Challenge 2
Understanding the Challenge
A sample code has been provided to you that creates certain resources.
You are required to optimize the code following the Best Practices.
Conditions to Meet
1. Ensure the code is working and resource gets created.
This will make it easier to identify the resource among all others.
Hint 4 - Variable Precedence
admin-user-{account-number-of-aws}
admin-user-12345
AWS: 12345
admin-user-67890
AWS: 67890
Requirement - 2
Client wants to have a logic that will show names of ALL users in AWS account
in the output.
AWS Account
Requirement - 3
Along with list of users in AWS, client also wants Terraform to show Total number
of users in AWS.
3 Users
AWS Account
TF Challenge 4 - Solution Hints
Hint 1 - Data Sources
You can try to dynamically fetch information like AWS Account ID, User names
using Data Sources.
Hint 2 - Functions
You need to make use of Terraform Function that can calculate total number of
users and output it.
Join us in our Adventure
kplabs.in/chat
Be Awesome
kplabs.in/linkedin
Overview of HashiCorp Exams
Let’s Get Certified!
Overview of HashiCorp Associate Exams
Overview of the basic exam related information.
Duration 1 hour
Questions 57
Language English
Expiration 2 years
knowledge portal
Multiple Choice
● True or False
● Multiple Choice
● Fill in the blank
knowledge portal
Delta Type of Question
Example 1:
knowledge portal
Format - Online Proctored
knowledge portal
My Experience - Before Room
knowledge portal
My Experience - After Room
knowledge portal
My Experience - My Desk
knowledge portal
Registration Process
The high-level steps for registering for the exams are as follows:
knowledge portal
Make sure to complete system check.
knowledge portal
Registration Process
knowledge portal
Registration Process
knowledge portal
Registration Process
knowledge portal
Registration Process
knowledge portal
Registration Process
knowledge portal
Exam Preparation - Part 1
Providers in AWS
A provider is responsible for understanding API interactions and exposing
resources.
When we run terraform init, plugins required for the provider are automatically
downloaded and saved locally to a .terraform directory.
Interesting Question
Is provider block {..} mandatory to be added as part of your Terraform
configuration? Yes/No
Two Pointers from Documentation
All Terraform configurations must declare which providers they require so that
Terraform can install and use them.
Otherwise, even if you skip, the terraform apply will work fine.
Alias in Providers
alias can be used for using the same provider with different configurations for
different resources
Point to Note - Providers
BackEnd Configuration
Experimental Features
Point to Note
This is the first command that should be run after writing a new Terraform
configuration. It is safe to run multiple times.
Terraform Init Upgrade
The terraform init -upgrade installs the latest module and provider versions
allowed within configured constraints.
If you have latest provider plugins installed and if you define new version
constraints that matches different version, you will have to run the init -upgrade
Terraform Plan
The terraform plan command is used to create an execution plan.
The state file is not modified even when it detects drift in real-world and current
infrastructure.
Saving Plan to File
You can use the optional -out=FILE option to save the generated plan to a file on
disk, which you can later execute by passing the file to terraform apply as an
extra argument.
Terraform Apply can change, destroy and provision resources but cannot import
any resource.
Terraform Destroy
For use-case, where the all configuration written by team members needs to
have a proper style of code, terraform fmt can be used.
After
Before
terraform fmt options
You have to keep a note of two important flags for terraform fmt command
Command Description
-recursive Also process files in subdirectories. By default, only the given directory
(or current directory) is processed.
Exam Preparation - Part 2
Terraform Validate
terraform validate command validates the configuration files in a directory.
terraform refresh command reads the current settings from all managed remote
objects and updates the Terraform state to match.
This won't modify your real remote objects, but it will modify the Terraform state.
Resource type and Name together serve as an identifier for a given resource
and so must be unique.
set a collection of unique values that do not have any secondary identifiers or
ordering.
map a group of values identified by named labels, like {name = "Mabel", age =
52}.
Sub-Commands Description
pull Manually download and output the state from remote state.
The Team wants to destroy all the EC2 instances except the second instance
with the resource address of aws_instance.web[1].
You can set TF_LOG to one of the log levels TRACE, DEBUG, INFO, WARN or
ERROR to change the verbosity of the logs.
You can use import blocks to import more than one resource at a time.
resources.tf
Terraform Import
terraform.tfstate
Manually Created
Import Workflow Steps
Local Values
Locals are used when you want to avoid repeating the same expression multiple
times.
Local values are created by a locals block (plural), but you reference them as
attributes on an object named local (singular)
Local value can reference values from other variables, locals etc.
Terraform Workspace
Terraform workspaces enable us to manage multiple sets of deployments from
the same sets of configuration files.
Not suitable for isolation for strong separation between workspace (stage/prod)
Use-Case Command
Instead of writing code from scratch, we can use multiple ready-made modules
available.
Calling a Module
Module source code can be present in a wide variety of locations including:
To reference a module, you need to make use of module block and source
Terraform uses this during the module installation step of terraform init to download the source
code to a directory on local disk so that other Terraform commands can use it.
Example 1 - Local Paths
Local paths are used to reference to a module that is available in local
filesystem.
A local path must begin with either ./ or ../ to indicate that a local path.
A module that has been called by another module is often referred to as a child
module.
After
Before
Meta Arguments in Terraform
Terraform allows us to include meta-arguments within the resource block, which
allows some details of this standard resource behaviour to be customized on a
per-resource basis.
count Accepts a whole number, and creates that many instances of the resource
for_each Accepts a map or a set of strings, and creates an instance for each item in that
map or set.
Arguments Description
create_before_destroy New replacement object is created first, and the prior object is destroyed
after the replacement is created.
prevent_destroy Terraform to reject with an error any plan that would destroy the
infrastructure object associated with the resource
ignore_changes Ignore certain changes to the live resource that does not match the
configuration.
replace_triggered_by Replaces the resource when any of the referenced items change
Count and Count Index
The count argument accepts a whole number, and creates that many instances
of the resource.
0 1 2
Exam Preparation - Part 3
Find the Issue - Use-Cases
You can expect a use case in exam with a sample Terraform code, and you must
find what should be removed as part of Terraform best practice.
Sentinel
Sentinel is an embedded policy-as-code framework integrated with the
HashiCorp Enterprise products. Sentinel is a proactive service.
The output of terraform graph is in the DOT format, which can easily be
converted to an image.
Input Variables
Terraform input variables are used to pass certain values from outside of the
configuration
Name Value
vpn_ip 101.0.62.210/32
app_port 8080
Variable File
Terraform TFVARS
terraform.tfvars file can be used to define value to all the variables.
1. Variable Defaults.
3. Environment Variables
1. Environment variables
2. The terraform.tfvars file, if present.
3. The terraform.tfvars.json file, if present.
Terraform will ask you to supply the value associated with them.
Not Allowed Variable Names
We cannot use all words within variable names.
Terraform reserves some additional names that can no longer be used as input
variable names for modules. These reserved names are:
● count
● depends_on
● for_each
● lifecycle
● providers
● source
Points to Note - State File
Terraform state file generally stores details about the resources that it manages.
Output value will be stored in state file but not the description
Terraform Console
Terraform Console provides an interactive environment specifically designed to
test functions and experiment with expressions before integrating them into your
main code.
Dependency Lock File
Terraform dependency lock file allows us to lock to a specific version of the
provider. Name is terraform.lock.hcl. For tracking provider dependencies.
If a particular provider already has a selection recorded in the lock file, Terraform
will always re-select that version for installation, even if a newer version has
become available.
In the following screenshot, Terraform will create EC2 first before EIP.
Dependencies - Explicit
Explicitly specifying a dependency is only necessary when a resource relies on
some other resource's behavior but doesn't access any of that resource's data in
its arguments.
● Single Sign-On
● Auditing
● Private Data Center Networking
● Clustering
Team & Governance features are not available for Terraform Cloud Free (Paid)
Remote Backend
The remote backend stores Terraform state and may be used to run operations
in Terraform Cloud.
When using full remote operations, operations like terraform plan or terraform
apply can be executed in Terraform Cloud's run environment, with log output
streaming to the local terminal.
Secure Variable Storage is available in Terraform Enterprise and Cloud but not in
the normal version of Terraform.
Terraform Cloud / Enterprise comes with a Private Module registry which allows
organizations to restrict access based on requirements.
To protect secret values in HCP, you can mark any Terraform or environment
variable as sensitive data by clicking its Sensitive checkbox that is visible during
editing. Marking a variable as sensitive makes it write-only and prevents all
users (including you) from viewing its value
Sensitive Values in HCP
To protect secret values in HCP, you can mark any Terraform or environment
variable as sensitive data by clicking its Sensitive checkbox that is visible during
editing.
A similar kind of functionality was achieved using the terraform taint command in
older versions of Terraform. Not recommended now.
Benefits of IAC Tool
There are three primary benefits of Infrastructure as Code tools:
● Terraform
● CloudFormation
● Azure Resource Manager
● Google Cloud Deployment Manager
terraform output
The terraform output command is used to extract the value of an output variable
from the state file.
Module Source and Git Branches
By default, Terraform will clone and use the default branch (referenced by
HEAD) in the selected repository.
Format: ?ref=<version-number>
Splat Expressions
Splat Expression allows us to get a list of all the attributes.
Resources that use the for_each argument will appear in expressions as a map
of objects, so you can't use splat expressions with those resources.
Important Documentation Reference - Splat
Point to Note
Will this code block display the names of all the IAM usernames created?
Answer = NO
Legacy Splat Expression
Earlier versions of the Terraform language had a slightly different version of splat
expressions, which Terraform continues to support for backward compatibility.
The legacy "attribute-only" splat expressions use the sequence .*, instead of [*]:
Fetching Values from List
To fetch the instance_type value of m5.xlarge from the list, you can reference to
the key of 1
var.size[1]
Fetching Values from Map
To reference the “t2.small” instance type from the below map, the following
approaches need to be used:
var.types[“ap-south-1”]
Dealing with Larger Infrastructure
Cloud Providers have set a certain rate limit, so Terraform can only request a
certain number of resources over a period of time.
Alternatively, you can make use of -refresh=false and target flag for a
workaround (not recommended)
BackEnds
Backends primarily determine where Terraform stores its state.
When configuring a backend for the first time (moving from no defined backend
to explicitly configuring one), Terraform will give you the option to migrate your
state to the new backend.
This lets you adopt new backends without losing any existing state.
Local Backend
The local backend stores the state on the local filesystem, locks that state using
system APIs, and performs operations locally.
By default, Terraform uses the "local" backend, which is the normal behavior of
Terraform you're used to
Air Gapped Environments
An air gap is a network security measure employed to ensure that a secure
computer network is physically isolated from unsecured networks, such as the
public Internet.
Isolated Server
Terraform Enterprise
Requirements for Publishing Module in Registry
Core Requirements Description
Named Example:
terraform-<PROVIDER>-<NAME>
terraform-aws-ec2-instance
Repository description The GitHub repository description is used to populate the short
description of the module.
Standard module structure he module must adhere to the standard module structure. This
allows the registry to inspect your module and generate
documentation, track resource usage, parse submodules and
examples, and more.
Overuse of Dynamic blocks can make configuration hard to read and maintain.
Miscellaneous Pointers
GitHub is not the supported backend type in Terraform.
API and CLI access for Terraform Cloud can be managed through API tokens
that can be generated from Terraform Cloud UI.
Terraform uses Parallelism to reduce the time it takes to create the resource. By
default, this value is set to 10
Code Formatting Recommended Practices
Indent two spaces for each nesting level
Terraform providers are NOT always installed through the internet. There is a
different offline approach for air-gapped systems.
Terraform and Terraform Provider NEED NOT have the same major version for
compatibility.
Sensitive Parameter
Adding sensitive parameter ensures that you do not accidentally expose this
data in CLI output, log output.
Running terraform apply or any other command that modifies the state file (e.g.
terraform plan, terraform destroy, etc.)
Running terraform refresh, which updates the state file to reflect the current state
of the infrastructure
If you are making use of the GIT repository for commiting terraform code, the
.gitignore should be configured to ignore certain terraform files that might contain
sensitive data.
1. If supported by your backend, Terraform will lock your state for all
operations that could write state.
kplabs.in/chat
Be Awesome
kplabs.in/linkedin