Terraform: Difference between revisions

From Dave-Wiki
No edit summary
No edit summary
Line 199: Line 199:
* '''Use IAM roles with least privilege access.'''   
* '''Use IAM roles with least privilege access.'''   


== Conclusion ==
= Conclusion =
By following these Terraform best practices for AWS, you ensure a '''secure''', '''scalable''', and '''efficient''' infrastructure. Keep your Terraform setup '''modular''', '''automated''', and '''well-documented'''.   
By following these Terraform best practices for AWS, you ensure a '''secure''', '''scalable''', and '''efficient''' infrastructure. Keep your Terraform setup '''modular''', '''automated''', and '''well-documented'''.   


Revision as of 01:59, 2 February 2025

Summary

Terraform is an open-source Infrastructure as Code (IaC) tool developed by HashiCorp. It allows you to define and provision infrastructure using a declarative configuration language called HCL (HashiCorp Configuration Language).

Best Practices

Use Remote Backend for State Management

Terraform stores state to track infrastructure changes. A remote backend (e.g., S3 + DynamoDB) ensures consistency and team collaboration.

Example (`backend.tf`): <source lang="hcl"> terraform { 

 backend "s3" {
   bucket         = "my-terraform-state"
   key            = "envs/prod/terraform.tfstate"
   region         = "us-east-1"
   dynamodb_table = "terraform-lock"
   encrypt        = true
 }

} </source>

Use Modules for Reusability

Organizing infrastructure as modules makes it easier to maintain and reuse components.

Example Directory Structure: 

terraform/
├── modules/
│   ├── vpc/
│   ├── ec2/
│   ├── rds/
│   ├── s3/
├── environments/
│   ├── dev/
│   ├── prod/
│   ├── test/

Use Workspaces for Multi-Environment Management

Workspaces allow Terraform to manage multiple environments within the same configuration.

Commands: <source lang="bash"> terraform workspace new dev terraform workspace select dev terraform apply </source>

Secure Secrets and Sensitive Data

Use Terraform variables with `sensitive = true` and AWS Secrets Manager.

Example (`variables.tf`): <source lang="hcl"> variable "db_password" { 

 description = "Database password"
 type        = string
 sensitive   = true

} </source>

Essential Terraform Commands

These commands are used in most Terraform workflows.

Initialization: <source lang="bash"> terraform init </source>

Plan the deployment: <source lang="bash"> terraform plan -var="aws_region=us-east-1" </source>

Apply changes: <source lang="bash"> terraform apply -var="aws_region=us-east-1" -auto-approve </source>

Check Terraform state: <source lang="bash"> terraform state list </source>

Destroy resources: <source lang="bash"> terraform destroy -var="aws_region=us-east-1" -auto-approve </source>

Deploying an AWS VPC

This example provisions a VPC with public and private subnets.

VPC Module (`vpc.tf`): <source lang="hcl"> module "vpc" { 

 source = "./modules/vpc"

 vpc_name        = "prod-vpc"
 cidr_block      = "10.0.0.0/16"
 public_subnets  = ["10.0.1.0/24", "10.0.2.0/24"]
 private_subnets = ["10.0.3.0/24", "10.0.4.0/24"]

} </source>

VPC Module (`modules/vpc/main.tf`): <source lang="hcl"> resource "aws_vpc" "main" { 

 cidr_block = var.cidr_block
 tags = {
   Name = var.vpc_name
 }

} </source>

Variables (`modules/vpc/variables.tf`): <source lang="hcl"> variable "vpc_name" { type = string } variable "cidr_block" { type = string } variable "public_subnets" { type = list(string) } variable "private_subnets" { type = list(string) } </source>

Deploying a Terraform CI/CD Pipeline

A Terraform CI/CD pipeline ensures consistent and automated deployments. This example uses AWS CodePipeline.

Pipeline Stages:

  1. Source – Fetch Terraform code from Bitbucket.
  2. Plan – Run `terraform plan`.
  3. Approve – Manual approval for `prod`.
  4. Apply – Run `terraform apply`.

Pipeline Definition (`pipeline.tf`): <source lang="hcl"> resource "aws_codepipeline" "terraform_pipeline" { 

 name     = "terraform-deploy"
 role_arn = aws_iam_role.pipeline_role.arn

 artifact_store {
   location = "my-codepipeline-bucket"
   type     = "S3"
 }

 stage {
   name = "Source"
   action {
     name             = "FetchSource"
     category         = "Source"
     owner           = "AWS"
     provider        = "CodeCommit"
     version         = "1"
     configuration   = { RepositoryName = "terraform-repo", BranchName = "main" }
     output_artifacts = ["source_output"]
   }
 }

 stage {
   name = "Plan"
   action {
     name             = "TerraformPlan"
     category         = "Build"
     owner           = "AWS"
     provider        = "CodeBuild"
     version         = "1"
     input_artifacts  = ["source_output"]
     configuration   = { ProjectName = aws_codebuild_project.terraform_plan.name }
   }
 }

 stage {
   name = "Approve"
   action {
     name     = "ManualApproval"
     category = "Approval"
     owner    = "AWS"
     provider = "Manual"
     version  = "1"
   }
 }

 stage {
   name = "Apply"
   action {
     name             = "TerraformApply"
     category         = "Build"
     owner           = "AWS"
     provider        = "CodeBuild"
     version         = "1"
     input_artifacts  = ["source_output"]
     configuration   = { ProjectName = aws_codebuild_project.terraform_apply.name }
   }
 }

} </source>

Security Best Practices

  • Enable AWS Config & GuardDuty – Monitor changes and security threats.
  • Encrypt sensitive data – Use AWS KMS for encrypting resources.
  • Use private subnets – Keep sensitive resources off the public internet.
  • Use IAM roles with least privilege access.

Conclusion

By following these Terraform best practices for AWS, you ensure a secure, scalable, and efficient infrastructure. Keep your Terraform setup modular, automated, and well-documented.

---

Retrieved from your Terraform Wiki

Retrieved from "https://davehome.net/wiki/index.php?title=Terraform&oldid=489"