Minimal practices and changes on terraform can improve your experience on IaC
In the knowledge and discovery of terraform there are some sites that teach you how to use the tool as such, however some parts teach you how to implement, but everything that comes later you must know on the way, this is why I wanted to share with you my experience and use of terraform and how to help you work on it based in a few points:
- Always set a repository.
- Order your requirements.
- Differentiate your providers.
- Use locals.
- Don’t forget about the security.
- Costs are very important.
- Differentiate your environments.
Use an repository to order your projects
A repository called from github, gitlab, bitbucket or whatever is where you should always start your projects.
Your infrastructure as code should not be treated from a local environment and moreover, the stages of testing, planning and validation of both security and your code should always be attended from a space where you can collaborate both with your team and at some point think about how to open your tools and teach the knowledge you have for the public.
Order your paths and requirements
You should work with directory structures that allow you to organize both the resources to be deployed and the different environments with which they will work.
Providers use in a separate file
Your infrastructure providers as a whole code should go in a file where you declare your providers, so use the providers.tf file and declare the different ones in this file.
If you use required_providers don’t forget declare your providers to use like this:
Use “.tfstates” files to save your data
You need a place to store all the plan and the large terraform object that stores the infrastructure data, so getting a place where the tf-states files are stored and can be version-controlled is important.
A good strategy is to use cloud provider storage services and work with it.
You should also review the .tfstates files to understand the structure of them and in turn they allow you to solve some problems you may encounter along the way.
I recommend this documentation for understand this:
- https://www.terraform.io/language/state
- https://blog.gruntwork.io/how-to-manage-terraform-state-28f5697e68fa
Use locals instead variables in files different than variables.tf
Variables are necessary to modularize and to work with values that can be assigned and referenced, but by weight and assignment, working with variables can make the work more expensive than it should be.
It is not bad to work with variables that reference your code, but in order to be able to converse the scope of the code you are dealing with use “local”.
Local objects will allow you to better manage the objects you are working with, in fact, you can even merge the values you assigned with your variables and use them consecutively as needed.
Remember, in terraform exist different types of variables to manage and the official documentation explain about this (https://www.terraform.io/language/expressions/types).
Security first
Use tools such as kyverno, tfsec or OPA rules to help review and understand what vulnerabilities you have in your code or simply set your rules to define what is secure and what is not using OPA or kyverno.
For example, if you choice is OPA:
- Create an tfplan.
- Create an OPA (terraform-cost-optimization.rego file) validation like this:
Samples from https://www.openpolicyagent.org/docs/latest/terraform/
Costs are important
What you deploy to the different environments generates costs and that is why you need to not only resort to the documentation of the different cloud providers or resources to know how much the impact on the organization’s budget is, but it is also important to work with tools that help you to have a preview of what we are impacting.
Terracost is a tool that when properly configured it is possible to take advantage of this with reports that show how much you could spend by impacting resources.
For example, a simple plan of terracost had.
version: 0.1
resource_type_default_usage:
aws_lambda_function:
monthly_requests: 100000 # Monthly requests to the Lambda function.
request_duration_ms: 500 # Average duration of each request in milliseconds.
Sample from https://github.com/infracost/infracost/blob/master/infracost-usage-example.yml
Responsibilities in different environments
You must know how to differentiate your environments, I know it sounds quite obvious but it is necessary that through your directory and file structures you know how to differentiate your environments.
Sample from https://www.endava.com/en/blog/Engineering/2019/11-Things-I-wish-I-knew-before-working-with-Terraform-I
Conclusion
Little changes on your “to do list” in terraform can be a great differences.
Thanks to different origin from info and specially https://medium.com/pythoneers/9-different-ways-to-embedded-code-in-medium-9213cb4c0a2e