Hi guys. Welcome. I recently decided to learn Terraform as I upskill for my first tech role. This article is part of my Terraform journey with Terraform Bootcamp by Andrew Brown and Andrew Bayko, together with Chris Williams(I am also using his resources that he published here and the beloved Shala Warner. I am also using some other resources from Aaron Brooks so that I can better explain new terms. And a special shout out to Gwen Leigh for such a helpful outline that I used as a guide to create this series so that the documentation is easy to read!

As I learn more about Terraform, feel free to follow Andrew Brown on Youtube and see their free (and paid) content . I Now let's jump in;

Table of Contents

• Basic Definitions
  • What is Terraform?
  • What is IaC?
  • Types of infrastructure
  • Why use IAC?
  • What is Configuration Management?
    • Configuration Management vs Infrastructure Provisioning?
  • What is Hashicorp Vault?
  • Terraform Infrastructure Lifecycle
    • Idempotency.
    • Configuration Drift:
      • Mutable vs Immutable infrastructure
  • Terraform workflow
    • 1. Code
    • 2. Terraform init
    • 3. Terraform plan
    • 4. Terraform validate
    • 5. Terraform apply
    • 6. Terraform destroy - unmakes the things! 😱
  • Resources

Basic Definitions

What is Terraform?

• Terraform is an infrastructure as code tool that lets you build, change, and version cloud and on-prem resources safely and efficiently.

• HashiCorp Terraform is an infrastructure as code tool that lets you define both cloud and on-prem resources in human-readable configuration files that you can version, reuse, and share. You can then use a consistent workflow to provision and manage all of your infrastructure throughout its lifecycle. ¹

What is IaC?

• Infrastructure as Code (IaC) is the blueprint of our infrastructure that allows managing and provisioning of infrastructure through code instead of through manual processes. This is because provisioning infrastructure at scale is prone to error. It allows us to provision the SAME INFRASTRUCTURE everytime.

With IaC, configuration files are created that contain your infrastructure specifications, which makes it easier to edit and distribute configurations. It also ensures that you provision the same environment every time. By codifying and documenting your configuration specifications, IaC aids configuration management and helps you to avoid undocumented, ad-hoc configuration changes.

Version control is an important part of IaC, and your configuration files should be under source control just like any other software source code file. Deploying your infrastructure as code also means that you can divide your infrastructure into modular components that can then be combined in different ways through automation. ²

Types of infrastructure

We have 2 types of infrastructure:

• Declarative
• Imperative

1. Declarative
What you see is what you get. It's explicit with 0 chance of misconfiguration:

Azure only -> ARM Templates, Azure Blueprints
AWS only -> CloudFormation
GCP only -> Cloud Deployment Manager
All of the above (& many others) -> Terraform

2. Imperative
Uses existing programming languages like Python, JS or Ruby:

AWS only -> AWS CDK
AWS, Azure, GCP, K8s -> Pulumi
Terraform supports For loops, dynamic blocks, complex data structures – so it's declarative with some imperative benefits.

Why use IAC?

1. Creates a consistent and reusable ways to deploy and manage infrastructure and configuration.

2. Help prevent configuration drift.

3. Provides free documentation i.e code and logs of current state.

4. Share & reuse your configurations more easily

5. Manage infra on multiple cloud platforms

6. Track resource changes

7. Use version control (Git, GitHub, etc..) to collaborate with team members

What is Configuration Management?

• The primary goal of configuration management tools is to configure the server. Meaning, if you want to automate the installation and configuration of an application(e.g., Nginx) in a server, we use a tool like Ansible and Chef. It does all the configurations in an idempotent manner. It can be used to maintain computer systems, servers, applications, network devices, and other IT components in a desired state.

• They allow administrators to set up an IT system, such as a server or workstation, then build and maintain other servers and workstations with the same settings. IT teams use configuration assessments and drift analyses to continuously identify systems that have strayed from the desired system state and need to be updated, reconfigured, or patched. It’s a way to help ensure that a system performs as expected, even after many changes are made over time. ³

• Also, these tools help in managing the configuration drift. It ensures all the servers are running in the same configuration mentioned in the ansible-playbook or a chef cookbook .In the case of an agent-based chef/puppet, if someone changes the server config manually, the chef agent brings it back to the desired state, as mentioned in the cookbook.

• All the configuration management tools keep an inventory of the server’s IP address and SSH credentials to connect to the servers. However, in cloud environments where servers are dynamically provisioned, it uses an API-based dynamic inventory to get the server details.

Configuration Management vs Infrastructure Provisioning?

• Infrastructure provisioning tool Terraform is responsible for providing the network and servers
• Configuration management tool Ansible configures applications inside servers provisioned by Terraform.⁴

What is Hashicorp Vault?

• HashiCorp Vault is an identity-based secrets and encryption management system. A secret is anything that you want to tightly control access to, such as API encryption keys, passwords, and certificates. Vault provides encryption services that are gated by authentication and authorization methods. Using Vault’s UI, CLI, or HTTP API, access to secrets and other sensitive data can be securely stored and managed, tightly controlled (restricted), and auditable.

Terraform Infrastructure Lifecycle

The Infrastructure Lifecycle is having clearly defined work phases for planning, designing, building, testing, maintaining and retiring your infrastructure.

Idempotency.

• a property of some operations such that no matter how many times you execute them, you achieve the same result. Terraform is idempotent because, no matter how many times you run the same configuration file, you will end up with the same expected state.

Configuration Drift:

• When your actual infrastructure deviates away from the desired infrastructure. Unexpected configuration change away from what is stated in the config file. Can be due to manual adjustment (console access in prod = BAD 😂), evil h@xx0rs, etc. that is done outside of the scripting tools i.e Hashicorp Terraform, AWS CloudFormation, Ansible

.. How do we fix it?

Detect:

• By using configuration monitoring tools/compliance tools like AWS Config, or built-in support e.g. AWS CF Drift Detect
• They monitor your infrastructure and notify based on default and custom rules. >PS: Most of these tools are not free

Correct:

• TF refresh & plan commands
• Manually correct (try not to do this)
• Reprovision (comes with it's own risks)

Prevent:

• use immutable infrastructure
• always create & destroy, never reuse
• never share credentials
• run scheduled plans with tools like AWS Config and use Terraform Import Blocks to import resources outside your Terraform State
• use drift detection tools like driftctl and Cloudquery
• use GitOps to version control IaC i.e Create tf file commit Pull Request peer review commit to main GitHub action triggers build

Mutable vs Immutable infrastructure

Think of mutable infrastructure as (1) building a base image (2) Deploying that base image then (3) configuring the software after deploy.

Terraform workflow

Most of the main Terraform files end with the .tf extension.

1. Code

• create or edit your terraform config file

2. Terraform init

• This command initializes a working directory containing Terraform configuration files, pull providers and modules.
• This is the first command that should be run after writing a new Terraform configuration or cloning an existing one from version control. It is safe to run this command multiple times.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see  
any changes that are required for your infrastructure. All Terraform commands  
should now work.

If you ever set or change modules or backend configuration for Terraform,      
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

3. Terraform plan

• Moves items from current state to the configuration state described in the main.tf file.
• It creates an execution plan, which lets you preview the changes that Terraform plans to make to your infrastructure. By default, when Terraform creates a plan it:

1. Reads the current state of any already-existing remote objects to make sure that the Terraform state is up-to-date.
2. Compares the current configuration to the prior state and noting any differences.
3. Proposes a set of change actions that should, if applied, make the remote objects match the configuration.

4. Terraform validate

Ensure types, values, and required attributes are valid and present

5. Terraform apply

After making our plan we can now execute it.

6. Terraform destroy - unmakes the things! 😱

Resources

1. What is Terraform ¹
2. What is IaC? ²
3. What is Configuration Management?³
4. Configuration Management vs Infrastructure Management⁴
5. A great read too
6. What is Hashicorp Vault?
7. What is Terraform init
8. Creating Git branches
9. Terraform Certified Associate (003) by Chris Williams
10. What is Configuration Drift?