Provisioners and Provisioning
Passing Data to Servers
Use cloud platform mechanisms (e.g., EC2 user data) for passing data at instance creation.
Provisioners like SSH or WinRM can also be used but are less preferred.
Provisioning Files
Use cloudinit_config data source for provisioning files as text/cloud-config content.
Utilize MIME configurations. While primarily used for provisioning files, MIME configurations can combine multiple data types into a single payload for tasks like bootstrapping or complex configurations.
Provisioners vs. Providers
Provisioners like local-exec and null_resource should be a last resort.
Example: Installing pymysql using local-exec.
First Preference: Use providers and resource blocks to manage infrastructure declaratively. Provisioners are primarily for tasks not natively supported by providers, like running scripts.
Provisioner Types
file provisioner: Copies files from the local machine to remote resources.
local-exec and remote-exec: Execute commands locally or on remote resources.
Terraform Modules
Module Configuration
Access output variables using module.MODULE_NAME.OUTPUT_NAME.
source is the only mandatory argument; optional arguments include version, count, depends_on, etc.
Referencing and Publishing Modules
Reference private modules: <HOSTNAME>/<ORGANIZATION>/<MODULE NAME>/<PROVIDER>.
Publish modules to the registry: Must adhere to naming conventions and include repository descriptions.
State Management
State File Basics
Sensitive data: Avoid committing terraform.tfstate to version control.
Use terraform state list to view resources and terraform state show to inspect attributes.
State Operations
terraform state mv: Rename resources in the state file.
terraform state rm: Remove a resource binding without destroying it.
terraform state pull: Download the state file from remote storage.
terraform state push: Upload the state file to remote storage.
terraform state replace-provider: Replace provider references in the state file.
Backends and State Locking
Backend types: Local, S3, GCS, azurerm, Consul, HTTP, Kubernetes, OSS, Postgres.
State locking: Some backends (e.g., Consul, S3, DynamoDB, and azurerm) support default or optional locking mechanisms.
Command Usage
Initialization and Configuration
terraform init: Initializes plugins, backends, and modules.
Use -migrate-state to move state between backends.
Validation and Execution
terraform validate: Checks for syntax correctness.
terraform apply -replace: Force replacement of resources.
Environment Variables
TF_LOG: Enable detailed logging (TRACE, INFO, WARN, etc.).
TF_VAR_: Prefix environment variables for Terraform variables.
Workspaces
Workspaces are equivalent to renaming state files; they also offer safeguards and enhancements for managing isolated environments for multiple state files.
Create a new workspace: terraform workspace new <name>.
Workspace states are stored in the terraform.tfstate.d directory.
Providers
Managing Providers
Specify versions using required_providers block.
Run terraform init -upgrade to update providers.
Provider-Specific Details
Multiple providers: Define separate blocks for each.
Terraform plugins handle API interactions with remote systems.
Data Sources
Data sources fetch external data for use in configurations.
Example: Fetch AMI IDs or other cloud resource details dynamically.
Security Best Practices
Store credentials securely; avoid plaintext storage.
Terraform Cloud encrypts state at rest and protects it during transit.
Use environment variables (TF_VAR_) to pass sensitive data like API keys.
Limit access to state files and remote backend configurations using role-based permissions.
Regularly audit state files for sensitive information.
Terraform Cloud and Enterprise
Advanced features: Access controls, cost estimation, and alerts.
Terraform Enterprise supports operating systems like Ubuntu and RHEL.
Advanced Topics
Sentinel Policies
- Applied before terraform apply and after terraform plan.
Versioning
Precedence for variable files:
Environment variables
terraform.tfvars
*.auto.tfvars.json
Command-line -var or -var-file.
CLI Commands Summary
terraform show: Displays current state in a human-readable format.
terraform logout: Removes stored credentials for Terraform Cloud.
terraform plan: Preview changes to be made to the infrastructure.
terraform refresh: Update the state file with the latest resource status.
terraform graph: Generate a visual representation of resource dependencies.
terraform destroy: Remove all resources managed by the configuration.