KALPESH MOHANTA's Blog
Terraform: A Guide to Managing Your Infrastructure

Terraform: A Guide to Managing Your Infrastructure

KALPESH MOHANTA's photo
KALPESH MOHANTA
·

5 min read

Table of contents

Terraform

  • Terraform is an open-source infrastructure as code (IaC) software too

  • Uses configuration files defined in the HashiCorp Configuration Language (HCL) to specify the desired state of your infrastructure

Terraform state file

  • Terraform state files are JSON files that store information about resources created using Terraform code

  • It's a single sources of truth.

Terraform Life Cycle

Create Instance using Terraform

  • provider.tf: Provider Info
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.16"
    }
  }

  required_version = ">= 1.9.2"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_instance" "app_server" {
  ami           = "ami-04a81a99f5ec58529"
  instance_type = "t2.micro"

  tags = {
    Name = "Terraform_Demo"
  }
}

  • terraform validate: Checks the syntax and verifies if the configuration files are correct.

  • terraform init: Initializes the working directory containing Terraform configuration files. This command sets up the environment to understand and work with your Terraform configuration.

  • terraform plan: Prepares an execution plan, showing what changes Terraform will make to reach the desired state.

  • terraform apply: Applies the changes required to reach the desired state of the configuration.

  • terraform destroy: It destroys all the infra created by checking the state file.

Best Practices for Managing Terraform State Files

  • Store State Files Remotely: Always store Terraform state files remotely to avoid local file issues and ensure team collaboration.

  • Avoid Source Control: Do not commit state files to source control to prevent accidental exposure of sensitive information.

  • Read-Only Access: Only Terraform should have write access to the state file; other users should have read-only access.

  • State File Isolation: Isolate state files for different environments to reduce the risk of interference.

Remote Storage of State file in S3 and Locking with DynamoDB

S3- Use for Isolate the State file in remote backed.

DynamoDB- Use for State lock in order to avoid corruption.

  • Create resource in AWS Cloud using terraform main.tf
# This main.tf file contains resources to set up an S3 bucket & a DynamoDB.


# Generates a random string of 10 characters
resource "random_string" "bucket_suffix" {
   length  = 10
   special = false
   upper   = false
   number = true
   lower   = true
}

# Create S3 bucket
resource "aws_s3_bucket" "mybucket" {
  bucket = "kalpesh-unique-s3-bucket-name-${random_string.bucket_suffix.result}"
}

# Enable versioning
resource "aws_s3_bucket_versioning" "versioning" {
  bucket = aws_s3_bucket.mybucket.id
  versioning_configuration {
    status = "Enabled"
  }
}

# Enable server-side encryption
resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
  bucket = aws_s3_bucket.mybucket.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}


# create DynamoDB
resource "aws_dynamodb_table" "statelock"{
        name = "state-lock"
        billing_mode = "PAY_PER_REQUEST"
        hash_key = "LockID"

        attribute {
                name = "LockID"
                type = "S"
        }
}

# This backend.tf file configures the remote backend for Terraform to use Amazon S3 for state file storage.


# /* ---*/ Make it a comment before running terraform apply, as DynamoDB and S3 will be created. After that, you can remove the comment.
# It ensures state consistency and locking using a DynamoDB table.


terraform {
  backend "s3" {
    bucket         = "kalpesh-unique-s3-bucket-name-<BUCKET-SUFFIX>" # Update this after bucket creation
    dynamodb_table = "state-lock"
    key            = "mystatefile/terraform.tfstate"
    region         = "ap-south-1" # Variables can't be used because the backend must be configured before Terraform initialization
    encrypt        = true
  }
}
  • terraform.tfstate will be stored in S3, and updates will occur remotely.

Terraform Dir Structure

  1. main.tf – containing the resource blocks that define the resources to be created in the target cloud platform.

  2. variables.tf – containing the variable declarations used in the resource blocks.

  3. provider.tf – containing the terraform block, s3 backend definition, provider configurations, and aliases.

  4. output.tf – containing the output that needs to be generated on successful completion of “apply” operation.

  5. *.tfvars – containing the environment-specific default values of variables.

Modules and Reusability

  • Modules in Terraform allow you to reuse code and manage configurations efficiently. You can use existing modules or write your own, by providing modules path.

  • Reusability, as we need to only pass the value or para.

Terraform Provisioner

Allows you to copy files or execute scripts during infrastructure creation.

Types of Provisioners:

  1. local-exec: Executes commands locally on the machine running Terraform.

  2. remote-exec: Executes commands on a remote resource via SSH or WinRM.

  3. file: Copies files from the local machine to the remote resource.

Terraform Workspace

  • Terraform Workspace: Manages multiple environments (e.g., dev, staging, prod) within the same configuration.

  • State File Isolation: Stores state files separately for each environment under .terraform/.

Commands for Workspaces

  • Create New Workspace:

      terraform workspace new <workspace_name>

    Separate state files for each environment are stored under terraform.tfstate.d

  • terraform tree:
    Displays the structure of your Terraform configuration directory.

      terraform tree

  • terraform select:
    Switches between workspaces.

      terraform workspace select <workspace_name>

  • terraform show:
    Displays details about the current workspace.

      terraform show

Terraform HashiCorp Vault

  • Securely stores and manages secrets (e.g., API keys, passwords).

Installation

  • Install Vault on a server (e.g., EC2) and configure its inbound rules to allow web access.

Vault Components

  • Secret Engines: Manage and store secrets (e.g., AWS keys, database passwords).

  • Access: Similar to AWS IAM roles; defines who can access Vault resources.

  • Policies: Similar to AWS IAM policies; specifies what actions are allowed on Vault resources.

Problems with Terraform

  1. Single Source of Truth: The state file is the single source of truth and managing it can become complex.

  2. Manual Changes: Changes made directly in the cloud are not automatically corrected by Terraform; you need to use terraform refresh to update the state.

  3. Complexity: As configurations grow, managing Terraform can become complex.

  4. Configuration Management: Terraform is not a configuration management tool; for tasks like application configuration, tools like Ansible are recommended.

Terraformterraform-cloudterraform-stateDevops