AWS Community Day CPH 2024 - Three problems of Terraform
AndreyDevyatkin
160 views
85 slides
May 07, 2024
Slide 1 of 85
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
About This Presentation
Terragrunt, Terraspace, Terramate, terra... whatever. What is wrong with Terraform so people keep on creating wrappers and solutions around it? How OpenTofu will affect this dynamic? In this presentation, we will look into the fundamental driving forces behind a zoo of wrappers. Moreover, we are goi...
Slide Content
NORDICS
DGI Byen’s CPH Conference
2024
DGI Byen’s CPH Conference
2024
NORDICS
The three problems of Terraform
Andrey Devyatkin | 2024-05-07
The three problems of Terraform
Andrey Devyatkin | 2024-05-07
www.fivexl.io | hello@fivexl.io
www.fivexl.io | hello@fivexl.io
www.fivexl.io | hello@fivexl.io
https://www.grc.com/sn/sn-923-notes.pdf
https://www.grc.com/sn/sn-923-notes.pdf
www.fivexl.io | hello@fivexl.io
Do it.
Do it better.
Do it right.
Alex Lindsay
Do it.
Do it better.
Do it right.
Alex Lindsay
www.fivexl.io | hello@fivexl.io
Andrey Devyatkin
Co-Host @ DevSecOps Talks
podcast
Principal AWS Consultant
AWS Community Builder
Security and Identity
Co-Founder @ FivexL
AWS User Group Leader
UG Las Palmas de GC
Andrey Devyatkin
Co-Host @ DevSecOps Talks
podcast
Principal AWS Consultant
AWS Community Builder
Security and Identity
Co-Founder @ FivexL
AWS User Group Leader
UG Las Palmas de GC
www.fivexl.io | hello@fivexl.io
https://www.istockphoto.com/es/foto/mano-de-gato-levantada-gm914509428-251700990
https://www.istockphoto.com/es/foto/mano-de-gato-levantada-gm914509428-251700990
www.fivexl.io | hello@fivexl.io
www.fivexl.io | hello@fivexl.io
three
conceptual
problems
Dynamic state location
Deploying the same configuration to multiple
environments
Environment specific parameters
A way to address differences between environments
Cross-state resources lookup
A need to reference resources from different states
three
conceptual
problems
Dynamic state location
Deploying the same configuration to multiple
environments
Environment specific parameters
A way to address differences between environments
Cross-state resources lookup
A need to reference resources from different states
www.fivexl.io | hello@fivexl.io
Assumptions
AWS
Assumptions
AWS
www.fivexl.io | hello@fivexl.io
https://www.primevideo.com/detail/Silicon-Valley/0PHZ6LOP10TB423SCOM0BMCFMM
https://www.primevideo.com/detail/Silicon-Valley/0PHZ6LOP10TB423SCOM0BMCFMM
www.fivexl.io | hello@fivexl.io
www.fivexl.io | hello@fivexl.io
$ ls
README.md
.terraform
main.tf
terraform.tfstate
$ ls
README.md
.terraform
main.tf
terraform.tfstate
www.fivexl.io | hello@fivexl.io
terraform {
backend "s3" {
bucket = "my-cool-startup-infra-state"
key = "terraform/main.tfstate"
region = "us-east-1"
}
}
terraform {
backend "s3" {
bucket = "my-cool-startup-infra-state"
key = "terraform/main.tfstate"
region = "us-east-1"
}
}
www.fivexl.io | hello@fivexl.io
Assumptions
AWS
S3 backend
Assumptions
AWS
S3 backend
www.fivexl.io | hello@fivexl.io
So far so good
No need for the wrapper
So far so good
No need for the wrapper
www.fivexl.io | hello@fivexl.io
https://www.amazon.co.uk/Silicon-Valley-Season-2-DVD/dp/B018I8RFZS
https://www.amazon.co.uk/Silicon-Valley-Season-2-DVD/dp/B018I8RFZS
www.fivexl.io | hello@fivexl.io
We need to deploy the app to
the second environment
We need to deploy the app to
the second environment
www.fivexl.io | hello@fivexl.io
Assumptions
AWS
dev/production
S3 backend
Assumptions
AWS
dev/production
S3 backend
www.fivexl.io | hello@fivexl.io
We need to change
backend configuration
depending on env
We need to change
backend configuration
depending on env
www.fivexl.io | hello@fivexl.io
terraform {
backend "s3" {
bucket = "my-cool-startup-infra-state"
key = "terraform/main.tfstate"
region = "us-east-1"
}
}
terraform {
backend "s3" {
bucket = "my-cool-startup-infra-state"
key = "terraform/main.tfstate"
region = "us-east-1"
}
}
www.fivexl.io | hello@fivexl.io
https://github.com/hashicorp/terraform/issues/17288
https://github.com/opentofu/opentofu/issues/1042
https://github.com/hashicorp/terraform/issues/17288
https://github.com/opentofu/opentofu/issues/1042
www.fivexl.io | hello@fivexl.io
Can we use Terraform
workspaces?
Can we use Terraform
workspaces?
www.fivexl.io | hello@fivexl.io
https://developer.hashicorp.com/terraform/cli/workspaces
As of 2023-05-18
https://developer.hashicorp.com/terraform/cli/workspaces
As of 2023-05-18
www.fivexl.io | hello@fivexl.io
https://developer.hashicorp.com/terraform/cli/workspaces#when-not-to-use-multiple-workspaces
As of 2023-05-18
Okay, what is the real life use case then?
??????
https://developer.hashicorp.com/terraform/cli/workspaces#when-not-to-use-multiple-workspaces
As of 2023-05-18
Okay, what is the real life use case then?
??????
www.fivexl.io | hello@fivexl.io
https://developer.hashicorp.com/terraform/cli/workspaces#alternatives-to-workspaces
As of 2023-05-18
https://developer.hashicorp.com/terraform/cli/workspaces#alternatives-to-workspaces
As of 2023-05-18
www.fivexl.io | hello@fivexl.io
www.fivexl.io | hello@fivexl.io
https://terragrunt.gruntwork.io/docs/features/keep-your-terragrunt-architecture-dry/
https://terragrunt.gruntwork.io/docs/features/keep-your-terragrunt-architecture-dry/
www.fivexl.io | hello@fivexl.io
But why so many
directories? Can’t we just
use the same directory
somehow? ??????
But why so many
directories? Can’t we just
use the same directory
somehow? ??????
www.fivexl.io | hello@fivexl.io
https://developer.hashicorp.com/terraform/language/settings/backends/configuration#partial-configuration
As of 2023-05-18
https://developer.hashicorp.com/terraform/language/settings/backends/configuration#partial-configuration
As of 2023-05-18
www.fivexl.io | hello@fivexl.io
terraform {
backend "s3" {
bucket = "my-cool-startup-infra-state"
key = "terraform/main.tfstate"
region = "us-east-1"
}
}
terraform {
backend "s3" {
bucket = "my-cool-startup-infra-state"
key = "terraform/main.tfstate"
region = "us-east-1"
}
}
www.fivexl.io | hello@fivexl.io
terraform {
backend "s3" {}
}
terraform init \
-backend-config "bucket=my-cool-startup-infra-state" \
-backend-config "key=terraform/main.tfstate" \
-backend-config "region=us-east-1"
terraform {
backend "s3" {}
}
terraform init \
-backend-config "bucket=my-cool-startup-infra-state" \
-backend-config "key=terraform/main.tfstate" \
-backend-config "region=us-east-1"
www.fivexl.io | hello@fivexl.io
Do we share S3 bucket
between environments?
Do we share S3 bucket
between environments?
www.fivexl.io | hello@fivexl.io
Assumptions
AWS
dev/production
S3 backend
bucket/state per env with
predefined name
Assumptions
AWS
dev/production
S3 backend
bucket/state per env with
predefined name
www.fivexl.io | hello@fivexl.io
terraform {
backend "s3" {}
}
terraform init \
-backend-config "infra-state-7YYYYYYYYY62" \
-backend-config "key=terraform/main.tfstate" \
-backend-config "region=us-east-1"
terraform {
backend "s3" {}
}
terraform init \
-backend-config "infra-state-7YYYYYYYYY62" \
-backend-config "key=terraform/main.tfstate" \
-backend-config "region=us-east-1"
www.fivexl.io | hello@fivexl.io
Why did we name s3
bucket this way? ??????
Why did we name s3
bucket this way? ??????
www.fivexl.io | hello@fivexl.io
format("infra-state-%s",
data.aws_caller_identity.current.account_id)
format("infra-state-%s",
data.aws_caller_identity.current.account_id)
www.fivexl.io | hello@fivexl.io
Would exposing the account
id get us into trouble? ??????
Would exposing the account
id get us into trouble? ??????
www.fivexl.io | hello@fivexl.io
As of 2024-05-07
https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1
As of 2024-05-07
https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1
www.fivexl.io | hello@fivexl.io
https://www.lastweekinaws.com/blog/are-aws-account-ids-sensitive-information/
https://www.lastweekinaws.com/blog/are-aws-account-ids-sensitive-information/
www.fivexl.io | hello@fivexl.io
Control Tower naming convention
Control Tower naming convention
www.fivexl.io | hello@fivexl.io
# debatable
format("infra-state-%s-%s",
data.aws_caller_identity.current.account_id,
data.aws_region.r.name)
# paranoid edition
format("infra-state-%s", sha1(
format(
"%s-%s",data.aws_caller_identity.current.account_id
data.aws_region.r.name)))
# debatable
format("infra-state-%s-%s",
data.aws_caller_identity.current.account_id,
data.aws_region.r.name)
# paranoid edition
format("infra-state-%s", sha1(
format(
"%s-%s",data.aws_caller_identity.current.account_id
data.aws_region.r.name)))
www.fivexl.io | hello@fivexl.io
Why not just use env
suffix like -prod or -dev?
??????
Why not just use env
suffix like -prod or -dev?
??????
www.fivexl.io | hello@fivexl.io
If we are using the same dir
then how to be with .terraform?
??????
If we are using the same dir
then how to be with .terraform?
??????
www.fivexl.io | hello@fivexl.io
https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_data_dir
As of 2023-05-18
https://developer.hashicorp.com/terraform/cli/config/environment-variables#tf_data_dir
As of 2023-05-18
www.fivexl.io | hello@fivexl.io
www.fivexl.io | hello@fivexl.io
www.fivexl.io | hello@fivexl.io
AWS_DEFAULT_REGION
env variable?
Use aws-vault for env setup
AWS_DEFAULT_REGION
env variable?
Use aws-vault for env setup
www.fivexl.io | hello@fivexl.io
$ ls
README.md
.terraform.7YYYYYYYYY62
.terraform.8XXXXXXXXX28
main.tf
$ ls
README.md
.terraform.7YYYYYYYYY62
.terraform.8XXXXXXXXX28
main.tf
www.fivexl.io | hello@fivexl.io
www.fivexl.io | hello@fivexl.io
How do we specify different
parameters for different
environments?
How do we specify different
parameters for different
environments?
www.fivexl.io | hello@fivexl.io
https://developer.hashicorp.com/terraform/language/values/variables#assigning-values-to-root-module-variables
As of 2023-05-18
https://developer.hashicorp.com/terraform/language/values/variables#assigning-values-to-root-module-variables
As of 2023-05-18
www.fivexl.io | hello@fivexl.io
www.fivexl.io | hello@fivexl.io
$ ls
README.md
7YYYYYYYYY62.tfvars
8XXXXXXXXX28.tfvars
.terraform.7YYYYYYYYY62
.terraform.8XXXXXXXXX28
main.tf
$ cat 7YYYYYYYYY62.tfvars
# dev
instance_type = "t4g.micro"
$ cat 8XXXXXXXXX28.tfvars
# prod
instance_type = "t4g.large"
$ ls
README.md
7YYYYYYYYY62.tfvars
8XXXXXXXXX28.tfvars
.terraform.7YYYYYYYYY62
.terraform.8XXXXXXXXX28
main.tf
$ cat 7YYYYYYYYY62.tfvars
# dev
instance_type = "t4g.micro"
$ cat 8XXXXXXXXX28.tfvars
# prod
instance_type = "t4g.large"
www.fivexl.io | hello@fivexl.io
www.fivexl.io | hello@fivexl.io
www.fivexl.io | hello@fivexl.io
Do we really need a
wrapper for this?
Do we really need a
wrapper for this?
www.fivexl.io | hello@fivexl.io
www.fivexl.io | hello@fivexl.io
What if we add more
applications?
What if we add more
applications?
www.fivexl.io | hello@fivexl.io
https://infrastructure-as-code.com/book/2018/03/28/defining-stacks.html
https://infrastructure-as-code.com/book/2018/03/28/defining-stacks.html
www.fivexl.io | hello@fivexl.io
https://www.youtube.com/watch?v=wgzgVm7Sqlk
https://www.youtube.com/watch?v=wgzgVm7Sqlk
www.fivexl.io | hello@fivexl.io
How do I get VPC id from network
stack to my application stack?
How do I get VPC id from network
stack to my application stack?
www.fivexl.io | hello@fivexl.io
https://developer.hashicorp.com/terraform/language/state/remote-state-data
https://developer.hashicorp.com/terraform/language/state/remote-state-data
www.fivexl.io | hello@fivexl.io
Terragrunt remote state resoltion
Terragrunt remote state resoltion
www.fivexl.io | hello@fivexl.io
AWS SSM
Parameters
AWS S3
Self-containing
modules
Are the other ways?
Tooling
AWS SSM
Parameters
AWS S3
Self-containing
modules
Are the other ways?
Tooling
www.fivexl.io | hello@fivexl.io
Self-contained
modules? ??????
Create resources
Look up resources
Provide policies
…
Self-contained
modules? ??????
Create resources
Look up resources
Provide policies
…
www.fivexl.io | hello@fivexl.io
www.fivexl.io | hello@fivexl.io
two
more
problems
Licensing
Are you competing with HashiCorp?
Team work
How do you work together with the same state?
two
more
problems
Licensing
Are you competing with HashiCorp?
Team work
How do you work together with the same state?
www.fivexl.io | hello@fivexl.io
OpenTofu
Not a big gap at the
moment
Unclear longevity
Community
requested features
Has a momentum
OpenTofu
Not a big gap at the
moment
Unclear longevity
Community
requested features
Has a momentum
www.fivexl.io | hello@fivexl.io
Terraform is a cli tool
That operates on a shared resources
Terraform is a cli tool
That operates on a shared resources
www.fivexl.io | hello@fivexl.io
Conventional CI/CD
vs
TACOS
Terraform Automation and Collobaration Systems
Conventional CI/CD
vs
TACOS
Terraform Automation and Collobaration Systems
www.fivexl.io | hello@fivexl.io
Commit
UnitTest
Lint
Build
Deploy Test Promote
CI/CD Server
TACOS
Server
Commit
UnitTest
Lint
Build
Deploy Test Promote
CI/CD Server
TACOS
Server
www.fivexl.io | hello@fivexl.io
Benefits of using
TACOS
Lock down access to
the state
Better visibility
Less shoulders
bumping
Extra features
https://www.reddit.com/r/Terraform/comments/lkylzk/scalr_vs_spacelift_vs_atlantis_vs_env0_bake_off/
Benefits of using
TACOS
Lock down access to
the state
Better visibility
Less shoulders
bumping
Extra features
https://www.reddit.com/r/Terraform/comments/lkylzk/scalr_vs_spacelift_vs_atlantis_vs_env0_bake_off/
www.fivexl.io | hello@fivexl.io
Conclusion and
recap
Conclusion and
recap
www.fivexl.io | hello@fivexl.io
three
conceptual
problems
Dynamic state location
Deploying the same configuration to multiple
environments
Environment specific parameters
A way to address differences between environments
Cross-state resources lookup
A need to reference resources from different states
three
conceptual
problems
Dynamic state location
Deploying the same configuration to multiple
environments
Environment specific parameters
A way to address differences between environments
Cross-state resources lookup
A need to reference resources from different states
www.fivexl.io | hello@fivexl.io
two
more
problems
Licensing
Are you competing with HashiCorp?
Team work
How do you work together with the same state?
two
more
problems
Licensing
Are you competing with HashiCorp?
Team work
How do you work together with the same state?
www.fivexl.io | hello@fivexl.io
www.fivexl.io | hello@fivexl.io
Tools like Terragrunt offer nice extra
features
Which are making going back harder
Tools like Terragrunt offer nice extra
features
Which are making going back harder
www.fivexl.io | hello@fivexl.io
conventions vs wrappers
conventions vs wrappers
www.fivexl.io | hello@fivexl.io
www.fivexl.io | hello@fivexl.io
https://www.youtube.com/channel/UCiJjTS8EiCKlbT85It_0e6g
https://www.youtube.com/channel/UCiJjTS8EiCKlbT85It_0e6g
Thank you
https://github.com/Andrey9kin/3-terraform-problems
https://twitter.com/andrey9kin
https://www.linkedin.com/in/andreydevyatkin/
andrey.devyatkin@fivexl.io
https://devsecops.fm/
https://github.com/Andrey9kin/3-terraform-problems
https://twitter.com/andrey9kin
https://www.linkedin.com/in/andreydevyatkin/
andrey.devyatkin@fivexl.io
https://devsecops.fm/
NORDICS
Thank you!
Thank you!
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 160
- Slides 85
- Age 573 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views