Understanding Terraform: A Comprehensive Guide to Infrastructure as Code (IaC)

What is Terraform?

Terraform, developed by HashiCorp, is a powerful Infrastructure as Code (IaC) tool designed to streamline the provisioning, configuration, and management of infrastructure resources. Utilizing the HashiCorp Configuration Language (HCL), Terraform allows users to define infrastructure components in a declarative manner.

Understanding Infrastructure as Code (IAC)

Infrastructure as Code (IAC) revolutionizes the way infrastructure is provisioned and managed by enabling users to automate these processes through code. With IAC, manual changes are replaced with code-based configurations, facilitating consistency, scalability, and reproducibility.

How Terraform Works

Terraform operates by generating a plan based on the desired state defined in the configuration files. This plan outlines the necessary changes to align the infrastructure with the specified configuration. By graphing resource dependencies, Terraform ensures accurate and concurrent application of these changes.

Terraform in AWS

As part of the AWS DevOps competency, Terraform facilitates the creation and orchestration of resources within the AWS environment. It serves as a versatile alternative to AWS CloudFormation, offering support for various providers and enhancing the readability of infrastructure configurations.

Key Terraform Commands

  • init: initializes the current directory downloading, required modules and plugins
  • plan: outputs the changes that would be done on execution
  • apply: applies the changes to bring the system to the desired state
  • destroy: destroys all resources that are in the terraform state
  • output: lists the outputs
  • refresh: refreshes the state file
  • graph: creates a dot-formatted graph
  • import: imports resources that already exist on the provider but are not part of the terraform state
  • state pull: Pulls the terraform state and outputs it. Useful for migrating state files

What does the terraform “target” argument do?

The target argument allows a single resource to be targeted for an operation. It can be useful to make targeted updates on large infrastructure.

What is the terraform state?

The terraform state is where terraform stores the metadata of the resources it is managing.

What is the “terraform_remote_state” data source?

The terraform_remote_state data source enables the sharing of outputs with a different terraform state file. It is useful because adds reusability, consistency, and makes collaboration easier between different projects.

data "terraform_remote_state" "networking" {
 backend = "s3"
  config = {
     bucket = "example-bucket"
     key = "networking.tfstate"
     region = "us-west-2"
   }
}

resource "aws_instance" "example" {
 // Use the remote state output as input for resource configuration
 subnet_id = data.terraform_remote_state.networking.outputs.subnet_id
 // 
}

What does “terraform init” do?

terraform init is typically the first command run on a new terraform design, it downloads plugins (required_providers), and modules and creates an operational cache.

What is the “null_resource” and what can it be used for in terraform?

It implements the base resource library and does nothing but through triggers it enables other resources to be replaced.

Introduction to Terraform Cloud

Terraform Cloud, a commercial platform by HashiCorp, offers advanced features for team collaboration, state management, source control integration, and workflow automation. It provides a centralized platform for executing Terraform configurations and managing infrastructure resources with ease.

What is a terraform backend?

Terraform configuration uses a backend to define mainly two components:

  • Where is the state stored
  • Where are the operations performed

What are some alternatives to terraform?

  • Pulumi
  • AWS CloudFormation
  • Azure Management Tools

What are terraform modules?

A terraform module groups multiple resources that work together and can be reused in other terraform configurations.

Can terraform be used for on-prem infrastructure?

Yes, terraform can be used with tools that expose an API. There are numerous providers available on Terraform registry, custom providers can also be created.

What can be done to resolve a duplicate resource error?

  1. Delete the resource and re-create via Terraform
  2. Remove the resource for the terraform configuration so it stops managing it
  3. Import the resource to the terraform state

What is the terraform resource graph?

It is a representation of the resources on a terraform configuration. It helps Terraform work out what are the dependencies so it can modify or create resources simultaneously.

How can sensitive data and secrets be handled in Terraform?

Terraform needs credentials to interact with many providers, these must never be stored in the source code. One common practice is to use environment variables for the providers’ credentials and handle these in the environment where terraform is being executed.

Resources can also contain sensitive values, like a master password when a db is created. Terraform variables can be marked as sensitive to limit the exposure these have on terraform logs, but it’s important to note that the state file will store the unencrypted values. Hence, it’s important to implement access control to the terraform state.

Some resources like databases can also contain secrets. Automation with Terraform can help update this ensuring that compliance is kept with minimal disruption to running services.

What is terragrunt?

Terragrunt is a thin wrapper around terraform that provides extra functionality to work with multiple AWS accounts, avoid repetition in the configurations (DRY), and execute terraform commands against multiple modules.

What is state file locking?

State file locking is a mechanism that prevents multiple processes from running into race conditions that would create conflicts by trying to update the state simultaneously.

What is a tainted resource?

Tainting a resource is a way of telling terraform to force destroy and re-create on the next terraform apply.

How can you upgrade plugins in terraform?

First, you need to check the required_providers configuration, as this can restrict which versions are supported by the configuration.

Then you trigger a plugin update by executing terraform init -upgrade

How can you manage rollbacks in terraform?

TTerraform is Infrastructure as Code, and in principle, all changes are committed to a central repository. Rollbacks can be implemented by checking out a previous version of the configuration and apply.

What is “immutable infrastructure” and how terraform can support it

Immutable infrastructure is a concept where infrastructure components are considered immutable and are not modified. Updates are done by creating new infrastructure resources with the new configuration and replacing the old ones.

Terraform helps this by:

  • Declarative IaC: With terraform you describe the desired state of the configuration and not the steps to achieve it
  • Infrastructure versioning: Keeping the configuration definition on source control tracks changes over time and enables rollback to previous versions.
  • Immutable resource management: Resources can be marked for replacement, for example using the taint command forcing terraform to re-create on apply

What is the resource graph in Terraform?

The resource graph is a graphical representation of the available resources. It enables Terraform to work out the dependencies so it can simultaneously operate on multiple resources.

How can you reconcile the state file with the actual infrastructure?

By using the terraform refresh command.

What is terraform core and what is it used for?

It’s a binary written in Go and it is the primary entry point for terraform.

Its main responsibilities are:

  • Reading and interpolating configuration files
  • Building the resource graph
  • Plugin communication
  • Plan execution
  • Resource state management

What are the main differences between terratest and terraform test?

terratest:

  • Golang: Tests are written in golang, allowing for more custom logic and added flexibility
  • Maturity: terratest has been around for much longer so there’s better community support and a wealth of examples
  • End-to-End testing: Validates actual infrastructure in real environments

terraform test:

  • HCL: Uses HCL syntax for writing tests, so smaller learning curve
  • Unit testing: Ideal for unit testing individual modules

Read more

  • SOLID principles in Terraform