Terraform

From Dave-Wiki
Revision as of 14:34, 3 February 2025 by Tlyle (talk | contribs)

Summary

Terraform is an open-source Infrastructure as Code (IaC) tool developed by HashiCorp. It allows you to define and provision infrastructure using a declarative configuration language called HCL (HashiCorp Configuration Language).

Best Practices

Use Remote Backend for State Management

Terraform stores state to track infrastructure changes. A remote backend (e.g., S3 + DynamoDB) ensures consistency and team collaboration.

Example (backend.tf): 

terraform {
  backend "s3" {
    bucket         = "my-terraform-state"
    key            = "envs/prod/terraform.tfstate"
    region         = "us-east-1"
    dynamodb_table = "terraform-lock"
    encrypt        = true
  }
}

Use Modules for Reusability

Organizing infrastructure as modules makes it easier to maintain and reuse components.

Example Directory Structure: 

terraform/
├── modules/
│   ├── vpc/
│   ├── ec2/
│   ├── rds/
│   ├── s3/
├── environments/
│   ├── dev/
│   ├── prod/
│   ├── test/

Use Workspaces for Multi-Environment Management

Workspaces allow Terraform to manage multiple environments within the same configuration.

Commands: 

terraform workspace new dev
terraform workspace select dev
terraform apply

Secure Secrets and Sensitive Data

Use Terraform variables with `sensitive = true` and AWS Secrets Manager.

Example (variables.tf): 

variable "db_password" {
  description = "Database password"
  type        = string
  sensitive   = true
}

Essential Terraform Commands

These commands are used in most Terraform workflows.

Initialization:

terraform init

Plan the deployment:

terraform plan -var="aws_region=us-east-1"

Apply changes:

terraform apply -var="aws_region=us-east-1" -auto-approve

Check Terraform state:

terraform state list

Destroy resources:

terraform destroy -var="aws_region=us-east-1" -auto-approve

Deploying an AWS VPC

This example provisions a VPC with public and private subnets.

VPC Module (vpc.tf):

module "vpc" {
  source = "./modules/vpc"

  vpc_name        = "prod-vpc"
  cidr_block      = "10.0.0.0/16"
  public_subnets  = ["10.0.1.0/24", "10.0.2.0/24"]
  private_subnets = ["10.0.3.0/24", "10.0.4.0/24"]
}

VPC Module (modules/vpc/main.tf):

resource "aws_vpc" "main" {
  cidr_block = var.cidr_block
  tags = {
    Name = var.vpc_name
  }
}

Variables (modules/vpc/variables.tf):

variable "vpc_name" { type = string }
variable "cidr_block" { type = string }
variable "public_subnets" { type = list(string) }
variable "private_subnets" { type = list(string) }

Deploying a Terraform CI/CD Pipeline

A Terraform CI/CD pipeline ensures consistent and automated deployments. This example uses AWS CodePipeline.

Pipeline Stages:

  • Source – Fetch Terraform code from Bitbucket.
  • Plan – Run `terraform plan`.
  • Approve – Manual approval for `prod`.
  • Apply – Run `terraform apply`.

Pipeline Definition (pipeline.tf):

resource "aws_codepipeline" "terraform_pipeline" {
  name     = "terraform-deploy"
  role_arn = aws_iam_role.pipeline_role.arn

  artifact_store {
    location = "my-codepipeline-bucket"
    type     = "S3"
  }

  stage {
    name = "Source"
    action {
      name             = "FetchSource"
      category         = "Source"
      owner           = "AWS"
      provider        = "CodeCommit"
      version         = "1"
      configuration   = { RepositoryName = "terraform-repo", BranchName = "main" }
      output_artifacts = ["source_output"]
    }
  }

  stage {
    name = "Plan"
    action {
      name             = "TerraformPlan"
      category         = "Build"
      owner           = "AWS"
      provider        = "CodeBuild"
      version         = "1"
      input_artifacts  = ["source_output"]
      configuration   = { ProjectName = aws_codebuild_project.terraform_plan.name }
    }
  }

  stage {
    name = "Approve"
    action {
      name     = "ManualApproval"
      category = "Approval"
      owner    = "AWS"
      provider = "Manual"
      version  = "1"
    }
  }

  stage {
    name = "Apply"
    action {
      name             = "TerraformApply"
      category         = "Build"
      owner           = "AWS"
      provider        = "CodeBuild"
      version         = "1"
      input_artifacts  = ["source_output"]
      configuration   = { ProjectName = aws_codebuild_project.terraform_apply.name }
    }
  }
}

Security Best Practices

  • Enable AWS Config & GuardDuty – Monitor changes and security threats.
  • Encrypt sensitive data – Use AWS KMS for encrypting resources.
  • Use private subnets – Keep sensitive resources off the public internet.
  • Use IAM roles with least privilege access.

Conclusion

By following these Terraform best practices for AWS, you ensure a secure, scalable, and efficient infrastructure. Keep your Terraform setup modular, automated, and well-documented.

---

Retrieved from your Terraform Wiki

Retrieved from "https://davehome.net/wiki/index.php?title=Terraform&oldid=538"