The Terraform Data Block – Retrieving a Project Id for a GCP project

data “google_project” “project” {
}

output "project_number" {
  value = data.google_project.project.number
}

Terraform Destroy and the Data Block

When executing the terraform destroy command on our Terraform configuration, Terraform does not perform a destroy action on the resource called by the data block. It is a read only block.

The data block is also called when executing the terraform plan command, so your external resource must be present before you execute the terraform plan and terraform apply commands.

Searching for Projects using the terraform data block

One can apply a filter to search for specific projects – e.g. projects about to be deleted

data "google_projects" "my-organization-projs" {
  filter = "parent.id:23232323 lifecycleState:DELETE_REQUESTED"
}

data "google_project" "deletion-candidate" {
  project_id = data.google_projects.my-organization-projs.projects[0].project_id
}

Summary

Instead of hard coding IDs of resources, the terraform data block allows dynamic retrieval of resource IDs. It also allows searching / filtering based a filter inside the data block.

Need an experienced Cloud Networking or a Cloud Data Protection Expert?  Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.

The post Retrieving Resource IDs in Terraform – The Terraform Data Block appeared first on For all your terraform needs.

To me, the primary use case is that I want to prompt a user to provide the value for the input variable. In that case, I HAVE to use variables.tf.. I simply define the variable and leave it’s value blank (of course, within the resource, this variable has to be a REQUIRED value).

The post tfvars versus variables.tf appeared first on For all your terraform needs.

Need an experienced Cloud Networking or a Cloud Data Protection Expert?  Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.
 

The post Using -out with terraform plan – terraform plan -out appeared first on For all your terraform needs.

Use either the data block or the terraform_remote_state block to retrieve external data.

However, there are scenarios where the data block does not exist in the provider or terraform_remote_state cannot be used, such as when we need to process with an external API or need to use a local tool and process its output.

# Read the JSON payload from stdin
$jsonpayload = [Console]::In.ReadLine()

# Convert JSON to a string
$json = ConvertFrom-Json $jsonpayload
$environment = $json.environment

if($environment -eq "Production"){
$location="westeurope"
}else{
$location="westus"
}

# Write output to stdout
Write-Output "{ ""location"" : ""$location""}"

Retrieving External data

data "external" "getlocation" {
program = ["Powershell.exe", "./GetLocation.ps1"]
query = {
environment = "${var.environment_name}"
  }
}

Summary

External data sources are extremely useful in terraform – the data ‘external’ is defined for just this use case.

Need an experienced Cloud Networking or a Cloud Data Protection Expert?  Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma. 

The post Data Block External Data – Querying External Resources in Terraform appeared first on For all your terraform needs.

Split Configuration across multiple files

You can (and should) split resources across multiple files (even folders, if you so desire). The entire deployment will have a single state file managing all the resources.

Accessing Resources across files 

When you split resources in such a way (e.g loadbalancer.tf and backend.tf), how do you actually access resources defined in one file from another?

All of this works, because these split configuration files are still part of a single module – the root module.

What if the configuration is split across modules?

You have two options here – simply use the module keyword to access any resources (or output values) in one module from another.

The second option is to use the statefile of the second module – and use IT as a data source! See the sample below:

Define output values in your first file

Define the state (state file) of the 1st file as a data source for the second file

data "terraform_remote_state" "firstfile_data" {
  backend = "local"

  config = {
    path = "../my_folders/terraform.tfstate"
  }
}

The post Referencing outputs from one terraform file in another terraform file appeared first on For all your terraform needs.

tf apply target

How do you destroy without being prompted?

terraform destroy --approval-true flag

When would you use a null resource in terraform?

To call an external script – e.g. to call  a provisioner script

resource "null_resource" "execfile" 
{ provisioner "local-scripts" 
  { command = "${path.module}/hello.sh" interpreter = ["/bin/bash"] 
  } 
}

Custom script from within a terraform module

What is the root module?

When you run Terraform commands directly from such a directory, it is considered the root module.

How do you plan before destroying?

terraform plan -destroy

How do you prevent a resource from being deleted by a subsequent tf script?

For resources that support it, the prevent_destroy attribute is what is needed.

What is Configuration management? How does it differ from provisioning?

Provisioning is Terraform. CM is tools such as Ansible and Jenkins which allow for actual VM configuration.They provide a consistent structure for folders, secrets etc. However, there is an overlap between these two areas. Mostly, you could use terraform (and some python) to do all your configuration management. user_data and Systems Manager in AWS or custom_script in GCP will allow

What is State File Locking?

State file locking is a mechanism in terraform where operation on a specific state file is blocked to avoid conflicts between multiple users performing the same operation.

The simplest workaround is to store the state in a remote bucket (s3 or cloud storage on gcp). See Multi Developer Terraform

How do you pass in a database password to a terraform resource?

TBD

How do you isolate the web tier from the database tier?

Separate Configuration Files and folders, so you can deploy the web tier independently of the db tier.

How do you prevent state file checkins?

In git, ensure you have a .gitignore that contains:

•    .terraform (folder used as a scratch directory)
•   .tfstate
•   .tfstate.backup

How do you add a git repo as an origin for git?

git remote add origin git@github.com:USERNAME/REPONAME.git

What is the difference between git push and git commit?

commit is just to your branch.

git push pushes YOUR branch commits to the origin (so other team mates can access them).

Similarly, git pull pulls all the changes from the origin / master.

Count in Terraform

resource "ec2" instances
{
count = 3
name = ec2.${count.,index}
}

TF Lists and Indexing a List Element

element(LIST, INDEX)

Dynamic Data

Either returned from a data element or from the output of a created resource.

What is the null resource?

How do you ensure that a resource is deleted in TF?

What is a tainted resource in terraform?

When a resource declaration is modified, Terraform usually attempts to update the existing resource in place (although some changes can require destruction and re-creation, usually due to upstream API limitations).

In some cases, you might want a resource to be destroyed and re-created even when Terraform doesn’t think it’s necessary.

for example, a virtual machine that configures itself with cloud-init on startup might no longer meet your needs if the cloud-init configuration changes.

• The terraform taint command tells Terraform to destroy and re-create a particular resource during the next apply, regardless of whether its resource arguments would normally require that.
• The terraform untaint command undoes a previous taint, or can preserve a resource that was automatically tainted due to failed provisioners.

Why would you need to UNTAINT a TAINTED resource?

If Terraform currently considers a particular object as tainted but you’ve determined that it’s actually functioning correctly and need not be replaced, you can use terraform untaint to remove the taint marker from that object.

How do you pass the output of a module to another module?

1. First, an output variable to be defined in a resource configuration. The scope is local and to the module.
2. Now, you have to declare the output variable of module_A to be used in other module’s configuration. A brand new and latest key name should be created by you and the value should be kept equivalent to the module_A’s output variable.
3. Now, for module_B you have to create a file variable.tf. Establish an input variable inside this file having exactly the same name as was in the key defined by you in module_B. In a module, this particular variable enables the resource’s dynamic configuration. For making this variable available to some other module also, replicate the process. This is because the particular variable established here have its scope restricted to module_B.

The post Terraform Basics appeared first on For all your terraform needs.