- Automated way to achieve repeatable and scalable infrastructure. If we manually build infrastructure and then need to repeat the process, a) it would take double the time and b) chance of making an error / applying a different setting are high. If we use IaC tool like Terraform, we define infrastructure with all its parameters once, in a code, and then provision it and destroy it as many times as we wish.
- Shorter deployment times. No manual work is required.
- Lower costs. Defining infrastructure is done only once.
- All resources are defined in the code =>
- versioning: each resource setup can be versioned and then reverted to the last stable version in case of any issues
- each change is recorded
- multiplying/scaling resources is very fast and easy - often just a matter of adding new items in a list; no repetitive
- it is super-fast and extremely handy when migrating resources from one to another cloud (e.g. AWS) account (see amazon web services - How to migrate AWS ECS from one account to another (in a different Region/AZ)? - Stack Overflow for example)
- From Terraform for Site24x7 | Online Help Site24x7:
- Ensure error-free deployments
- Handle heterogeneous cloud deployments for fault tolerance
- Collaborate, obtain specific versions, and create your own environment
- Spawn and remove testing environments easily
- Improve deployment speeds
- Build, version, or change infrastructure safely and efficiently
- Trace and correct configuration-level issues
- Cross-platform
- Human-readable
- Open source. We can create our own Terraform providers for our specific functionality.
- Has both a free version (Terraform) and an enterprise version (Terraform Cloud) with no functionality lost between the versions.
- From Kubernetes: Getting Started with Kubernetes provider | Guides | hashicorp/kubernetes | Terraform | Terraform Registry:
- drift detection - terraform plan will always present you the difference between reality at a given time and config you intend to apply.
- full lifecycle management - Terraform doesn't just initially create resources, but offers a single command for creation, update, and deletion of tracked resources without needing to inspect the API to identify those resources.
- synchronous feedback - While asynchronous behaviour is often useful, sometimes it's counter-productive as the job of identifying operation result (failures or details of created resource) is left to the user. e.g. you don't have IP/hostname of load balancer until it has finished provisioning, hence you can't create any DNS record pointing to it.
- graph of relationships - Terraform understands relationships between resources which may help in scheduling - e.g. if a Persistent Volume Claim claims space from a particular Persistent Volume Terraform won't even attempt to create the PVC if creation of the PV has failed.
}
Example: Create a file on a local host where Terraform is installed.
resource is the reserved word and is the block name. Each resource is uniquely defined by the combination of the resource type and name. In our example:
- "local_file" is a predefined string which denotes the resource type:
- local - resource provider (by convention, resource type names start with their provider's preferred local name)
- file - resource type
- "foo" is the logical resource name; this is a local name that can be used from the same Terraform module
Inside the curly braces (resource block) are arguments for resource. They are specific for the given resource type. In this example, we are using local_file | Resources | hashicorp/local | Terraform Registry.
- local
- aws
- azure
- gcp
- ...
Each resource type has its own set of arguments.
Example: Create Amazon Machine Image (AMI)
aws-ec2.tf:
Example: S3
aws-s3.tf:
- write .tf file
- (optional) run terraform fmt command which scans .tf files in current working directory and formats them in the canonical format. This improves the readability of configuration files.
- run terraform init command. It:
- checks the .tf config file
- initializes the working directory containing .tf file
- from .tf file it finds out what type of resource(s) we want to create
- it initializes specified providers - it downloads plugin(s) required in order to work on these resources
- is a safe command. It can be many times without affecting the infrastructure that is being deployed.
- (optional) run terraform validate to validate configuration file syntax
- run terraform plan command in order to review the execution plan
- run terraform apply command to apply changes
- run terraform show command in order to see the changes made; it prints the current state of the infrastructure; it prints all resources and values of their attributes. Use -json flag to print it in JSON format.
- run terraform destroy to destroy created resources
terraform init
. .. create_local_file_demo.tf
resource "local_file" "foo" {
filename = "${path.cwd}/temp/foo.txt"
content = "This is a text content of the foo file!"
}
Initializing the backend...
Initializing provider plugins...
- Finding latest version of hashicorp/local...
- Installing hashicorp/local v2.2.2...
- Installed hashicorp/local v2.2.2 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
. .. create_local_file_demo.tf .terraform .terraform.lock.hcl
-rwxr-xr-x 1 bojan bojan 13864960 Mar 28 13:27 providers/registry.terraform.io/hashicorp/local/2.2.2/linux_amd64/terraform-provider-local_v2.2.2_x5
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/local" {
version = "2.2.2"
hashes = [
"h1:5UYW2wJ320IggrzLt8tLD6MowePqycWtH1b2RInHZkE=",
"zh:027e4873c69da214e2fed131666d5de92089732a11d096b68257da54d30b6f9d",
"zh:0ba2216e16cfb72538d76a4c4945b4567a76f7edbfef926b1c5a08d7bba2a043",
"zh:1fee8f6aae1833c27caa96e156cf99a681b6f085e476d7e1b77d285e21d182c1",
"zh:2e8a3e72e877003df1c390a231e0d8e827eba9f788606e643f8e061218750360",
"zh:719008f9e262aa1523a6f9132adbe9eee93c648c2981f8359ce41a40e6425433",
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
"zh:9a70fdbe6ef955c4919a4519caca116f34c19c7ddedd77990fbe4f80fe66dc84",
"zh:abc412423d670cbb6264827fa80e1ffdc4a74aff3f19ba6a239dd87b85b15bec",
"zh:ae953a62c94d2a2a0822e5717fafc54e454af57bd6ed02cd301b9786765c1dd3",
"zh:be0910bdf46698560f9e86f51a4ff795c62c02f8dc82b2b1dab77a0b3a93f61e",
"zh:e58f9083b7971919b95f553227adaa7abe864fce976f0166cf4d65fc17257ff2",
"zh:ff4f77cbdbb22cc98182821c7ef84dce16298ab0e997d5c7fae97247f7a4bcb0",
]
}
terraform validate
terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# local_file.foo will be created
+ resource "local_file" "foo" {
+ content = "This is a text content of the foo file!"
+ directory_permission = "0777"
+ file_permission = "0777"
+ filename = "/home/bojan/dev/github/demo-terraform/local_resources_demo/temp/foo.txt"
+ id = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
The kubernetes_manifest resource needs access to the API server of the cluster during planning. This is because, in order to support CRDs in Terraform ecosystem, we need to pull the schema information for each manifest resource at runtime (during planing).AFAICS, every person who reported seeing similar issues above, configures the attributes of the provider "kubernetes" {..} block using references to other resources' attributes. You can only do this if the referenced resource (the cluster in this case) IS ALREADY PRESENT before you start planing / applying any of the kubernetes_manifest resources. You can achieve this as simply as using the -target CLI argument to Terraform to limit the scope of the first apply to just the cluster and it's direct dependencies. Then you follow up with a second apply without a -target argument and this constructs the rest of the resources (manifest & others). You will end up with a single state file and subsequent updates no longer require this two-step approach as long as the cluster resource is present.This limitation is stemming from Terraform itself, and the provider tries to push things as far as it can, but there is no way around needing access to schema from the API (Terraform is fundamentally a strongly-typed / schema based system).
terraform apply
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# local_file.foo will be created
+ resource "local_file" "foo" {
+ content = "This is a text content of the foo file!"
+ directory_permission = "0777"
+ file_permission = "0777"
+ filename = "/home/bojan/dev/github/demo-terraform/local_resources_demo/temp/foo.txt"
+ id = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
local_file.foo: Creating...
local_file.foo: Creation complete after 0s [id=db5ca40b5588d44e9ec6c1b4005e11a6fd0c910e]
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
This is a text content of the foo file!
{
"version": 4,
"terraform_version": "1.1.7",
"serial": 1,
"lineage": "921cfa36-9ad5-9a2e-66db-d2ef62e7509b",
"outputs": {},
"resources": [
{
"mode": "managed",
"type": "local_file",
"name": "foo",
"provider": "provider[\"registry.terraform.io/hashicorp/local\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"content": "This is a text content of the foo file!",
"content_base64": null,
"directory_permission": "0777",
"file_permission": "0777",
"filename": "/home/bojan/dev/github/demo-terraform/local_resources_demo/temp/foo.txt",
"id": "db5ca40b5588d44e9ec6c1b4005e11a6fd0c910e",
"sensitive_content": null,
"source": null
},
"sensitive_attributes": [],
"private": "bnVsbA=="
}
]
}
]
}
terraform show
# local_file.foo:
resource "local_file" "foo" {
content = "This is a text content of the foo file!"
directory_permission = "0777"
file_permission = "0777"
filename = "/home/bojan/dev/github/demo-terraform/local_resources_demo/temp/foo.txt"
id = "db5ca40b5588d44e9ec6c1b4005e11a6fd0c910e"
}
Updating already created resources
resource "local_file" "foo" {
filename = "${path.cwd}/temp/foo.txt"
content = "This is a text content of the foo file!"
}
local_file.foo: Refreshing state... [id=db5ca40b5588d44e9ec6c1b4005e11a6fd0c910e]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement
Terraform will perform the following actions:
# local_file.foo must be replaced
-/+ resource "local_file" "foo" {
~ file_permission = "0777" -> "0700" # forces replacement
~ id = "db5ca40b5588d44e9ec6c1b4005e11a6fd0c910e" -> (known after apply)
# (3 unchanged attributes hidden)
}
Plan: 1 to add, 0 to change, 1 to destroy.
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
local_file.foo: Refreshing state... [id=db5ca40b5588d44e9ec6c1b4005e11a6fd0c910e]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement
Terraform will perform the following actions:
# local_file.foo must be replaced
-/+ resource "local_file" "foo" {
~ file_permission = "0777" -> "0700" # forces replacement
~ id = "db5ca40b5588d44e9ec6c1b4005e11a6fd0c910e" -> (known after apply)
# (3 unchanged attributes hidden)
}
Plan: 1 to add, 0 to change, 1 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
local_file.foo: Destroying... [id=db5ca40b5588d44e9ec6c1b4005e11a6fd0c910e]
local_file.foo: Destruction complete after 0s
local_file.foo: Creating...
local_file.foo: Creation complete after 0s [id=db5ca40b5588d44e9ec6c1b4005e11a6fd0c910e]
Apply complete! Resources: 1 added, 0 changed, 1 destroyed.
total 12
-rwx------ 1 bojan bojan 39 Mar 28 16:17 foo.txt
Deleting resources
local_file.foo: Refreshing state... [id=db5ca40b5588d44e9ec6c1b4005e11a6fd0c910e]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
- destroy
Terraform will perform the following actions:
# local_file.foo will be destroyed
- resource "local_file" "foo" {
- content = "This is a text content of the foo file!" -> null
- directory_permission = "0777" -> null
- file_permission = "0700" -> null
- filename = "/home/bojan/dev/github/demo-terraform/local_resources_demo/temp/foo.txt" -> null
- id = "db5ca40b5588d44e9ec6c1b4005e11a6fd0c910e" -> null
}
Plan: 0 to add, 0 to change, 1 to destroy.
Do you really want to destroy all resources?
Terraform will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.
Enter a value: yes
local_file.foo: Destroying... [id=db5ca40b5588d44e9ec6c1b4005e11a6fd0c910e]
local_file.foo: Destruction complete after 0s
Destroy complete! Resources: 1 destroyed.
Configuration Directory
- main.tf - main config file containing definition of resources
- variables.tf - contains variable declarations
- outputs.tf - contains outputs from resources
- provider.tf - contains provider definitions
Debugging (Logging)
- INFO
- WARNING
- ERROR
- DEBUG
- TRACE (most verbose)
- set TF_LOG_PATH environment variable to a path to the log file
- make sure that TF_LOG is set