DEV Community

loading...

Things that are wrong with Terraform

Warren Parad
Long time software architect, CTO Rhosys, creating application security plug-ins for any software application with Authress. Talk to me about security in microservices or service authorization.
Originally published at Medium on ・2 min read

Just writing down my list of things that are problematic with TF. While you don’t have agree, it’s good to put the list down and begin that conversation.

  • Suggested formatting rules => bad for vcs diffs
  • doesn’t support multiple environments well
  • doesn’t support conditional expressions well
  • syntax is over complicated (makes it also very easy to do the wrong thing)
  • docs are highly inconsistent with actual platform terminology
  • docs are riddled with Warnings and notes: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  • abuses parameters to do different things making it easy to get it wrong
  • logging is verbose but unhelpful
  • easy to get a provider or change logic corrupting your stack
  • Stack requires S3 bucket or account with hashicorp, so impossible to use platform providers tools to understand groupings. For instance with CFN you can just see what’s in the stack.
  • Easy to break your state file and cause corruption, you will have write commands to fix the state file when it breaks
  • updates do not follow SemVar
  • Providers don’t handle unexpected situations well if at all
  • Often and frequent workarounds to make changes to resources that haven’t been correctly developed (email unsupported in SNS: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription))
  • Veil of security when there is none, all your secrets and passwords are saved in the state file so any one with access can read them.
  • lack of first class provider support. CFN in AWS lets you integrate functions with secrets in a secure way, TF can never have that.
  • unresponsive to bugs in TF, don’t merge Pull requsets, don’t respond to issues. Frequently they’ll just close the issue after 30 days with no fix or suggestion.

Discussion (0)