HashiCorp Certified Terraform Associate 2024

PPT Version
PPT Release Date = 27th Feb 2024

We regularly release new version of PPT when we update this course.

Please check regularly that you are using the latest version.

The Latest Version Details are mentioned in the PPT Lecture in Section 1.
 Understanding the Need
My personal journey started with implementing “AWS Hardening” guidelines.

There were 100+ pages of guidelines, and it used to take 2-3 days to implement
in 1 account.

Nowadays, it is more than 250+ pages.

 Challenge that Terraform Solves
Terraform allows us to create reusable code that can deploy identical set of
infrastructure in a repeatable fashion.

AWS Account 1
Deploy
HCL Configuration

Hardening Rule 1
AWS Account 2
Terraform
Hardening Rule 2

Hardening Rule 3

Hardening Rule 100 Deploy AWS Account 99

 Amazing Terraform
One of the great benefits of Terraform is that it supports thousands of providers.

Once you learn Terraform Core concepts, you can write code to create and
manage infrastructure across all the providers.

Terraform
 Overview of Terraform Certification
Terraform has become of the most popular and widely used tools to create and
manage infrastructure and one of the defacto IAC tools for DevOps.

HashiCorp has released the official Terraform certification to certify students

related to core Terraform concepts and skills.
 What Does this Course Cover?
We start this course of Terraform from absolute scratch and then we move
ahead with advance topics.

We cover ALL the topics of the official exams.

 About Me
● DevSecOps Engineer - Defensive Security.
● Teaching is one of my passions.
● I have total of 16 courses, and around 350,000+ students now.

Something about me :-

● HashiCorp Certified [Terraform, Vault, Consul] Associate.

● AWS Certified [DevOps Pro, SA Pro, Advanced Networking, Security Specialty …]
● RedHat Certified Architect (RHCA) + 13 more Certifications
● Part time Security Consultant
 Join us in our Adventure

kplabs.in/chat

Be Awesome

kplabs.in/linkedin
About the Course
 Understanding the Basics
This is a certification specific course and we cover all the pointers that are part
of the official exam blueprint.
 Point to Note

The arrangement of topics in this course is a little different from the exam
blueprint to ensure this course remains beginner friendly and topics are covered
in a step by step manner.
 Course Resource - GitHub
All the code that we use during practicals have been added to our GitHub page.
 Course Resource - PPT Slides
ALL the slides that we use in this course is available to download as PDF.

The PDF is attached as part of the lecture titled “Central PPT Notes”.
 Our Community (Optional)
We also have a Discord community that allows all the individuals who are
preparing for the same certification to connect with each other for discussions as
well as technical support.

https://kplabs.in/chat
 Important Note - Platform for This Course
Terraform supports hundreds of of platforms like AWS, Azure, GCP etc.

To learn Terraform concepts, we have to choose 1 platform for our testing.

For this course we have chosen AWS.

 Clarification Regarding AWS Platform
Aim of this course is to learn Core Concepts of Terraform and not AWS.

We use very basic AWS services like Virtual Machine, AWS users to
demonstrate and Learn the Core Terraform concepts.

The Terraform structure and concepts remain SAME irrespective of platform.

We have hundreds of users from different platform like Azure who have
completed this course and are actively implementing Terraform for different
platforms..
Infrastructure as Code (IAC)
 Understanding the Basics
There are two ways in which you can create and manage your infrastructure:

● Manually approach.

● Through Automation
 Work Requirement: Database Backup
I was assigned a task to take database backup every day at 10 PM and the
backup had to be stored in Amazon S3 Storage with appropriate timestamp.

● db-backup-01-01-2024.sql
● db-backup-02-01-2024.sql

Initially due to lack of time, I used to manually take DB backup at 10 PM and

upload it to S3.

Initiate Backup
Upload Backup

Amazon S3 Database
 Learning from this Work Requirement
If a particular task has to be done in an repeatable manner, it MUST be
automated.

Points to Note:

1. Depending on the type of task, the tools for automation will change.

2. There are wide variety of Tools & Technologies used for Automation like
Ansible, CloudFormation, Terraform, Python etc.
 Example of a Single Service
Set of resources (Virtual Machine, Database, S3, AWS Users) must be created
with exact similar configuration in Dev, Stage and Production environment.

Development ENV Staging ENV Production ENV

 Example of a Single Service - Automated Way

IAC Tool

Development ENV Staging ENV Production ENV

 Basics of Infrastructure as Code
Infrastructure as Code (IaC) is the managing and provisioning of infrastructure
through code instead of through manual processes.
 Benefits of Infrastructure As Code

There are several benefits of designing your infrastructure as code:

● Speed of Infrastructure Management.

● Low Risk of Human Errors.

● Version Control.

● Easy collaboration between Teams.

Choosing Right IAC Tool
 Available Tools
There are various types of tools that can allow you to deploy infrastructure as
code :

● Terraform
● CloudFormation
● Heat
● Ansible
● SaltStack
● Chef, Puppet and others
 Categories of Tools
The tools are widely divided into two major categories

Infrastructure As Code

Infrastructure Orchestration Configuration Management

Terraform, CloudFormation Ansible, Chef

 Configuration Management
Configuration Management tools are primarily used to maintain desired
configuration of systems (inside servers)

Example: ALL servers should have Antivirus installed with version 10.0.2

Installing AV

Ansible

Server Fleet
 Infrastructure Orchestration
Infrastructure Orchestration is primarily used to create and manage
infrastructure environments.

Example: Create 3 Servers with 4 GB RAM, 2 vCPUs. Each server should have
firewall rule to allow SSH connection from Office IPs.

Terraform

Infrastructure Fleet
 IAC & Configuration Management = Friends

Deploy Server

Terraform
Completed
first_server.tf
Terraform EC2 Running

New E2

Install & Configure Application

AWS

Ansible
 How to choose IAC Tool?
i) Is your infrastructure going to be vendor specific in longer term ? Example AWS.

ii) Are you planning to have multi-cloud / hybrid cloud based infrastructure ?

iii) How well does it integrate with configuration management tools ?

iv) Price and Support

 Use-Case 1 - Requirement of Organization 1
1. Organization is going to be based on AWS for next 25 years.

2. Official support is required in-case if team face any issue related to IAC tool or
code itself.

3. They want some kind of GUI interface that supports automatic code
generation.
 Use-Case 2 - Requirement of Organization 2

1. Organization is based on Hybrid Solution. They use VMware for on-premise

setup; AWS, Azure and GCP for Cloud.

2. Official support is required in-case if IAC tool has any issues.

Installing Terraform
Terraform in detail
 Overview of Installation Process

Terraform installation is very simple.

You have a single binary file, download and use it.

Download

terraform

knowledge portal
 Supported Platforms

Terraform works on multiple platforms, these includes:

● Windows
● macOS
● Linux
● FreeBSD
● OpenBSD
● Solaris

knowledge portal
 Terraform Installation - Mac & Linux

There are two primary steps required to install terraform in Mac and Linux

1) Download the Terraform Binary File.

2) Move it in the right path.

knowledge portal
Choosing IDE For Terraform
Terraform in detail
 Terraform Code in NotePad!
You can write Terraform code in Notepad and it will not have any impact.

Downsides:

● Slower Development
● Limited Features

knowledge portal
 Need of a Better Software
There is a need of a better application that allows us to develop code faster.

knowledge portal
 What are the Options!
There are many popular source code editors available in the market.

Source Code Editors

knowledge portal
 Editor for This Course
We are going to make use of Visual Studio Code as primary editor in this course.

Advantages:
1. Supports Windows, Mac, Linux
2. Supports Wide variety of programming languages.
3. Many Extensions.

knowledge portal
knowledge portal
Visual Studio Code Extensions
 Understanding the Basics
Extensions are add-ons that allow you to customize and enhance your
experience in Visual Studio by adding new features or integrating existing tools

They offer wide range of functionality related to colors, auto-complete, report

spelling errors etc.
 Terraform Extension
HashiCorp also provides extension for Terraform for Visual Studio Code.
Setting up the Lab
Let’s start Rolling !
 Let’s Start

i) Create a new AWS Account.

ii) Begin the course

knowledge portal
 Registering an AWS Account

knowledge portal
Authentication and Authorization
 Understanding the Basics
Before we start working on managing environments through Terraform, the first
important step is related to Authentication and Authorization.

Create new Server

Terraform AWS Cloud

Dude, Authenticate First

 Basics of Authentication and Authorization
Authentication is the process of verifying who a user is.

Authorization is the process of verifying what they have access to

Example:

Alice is a user in AWS with no access to any service.

 Learning for Todays’ Video
Terraform needs access credentials with relevant permissions to create and
manage the environments.

Create new Server

Terraform

Done

username password

Bob pwd928#
 Access Credentials
Depending on the provider, the type of access credentials would change.

Provider Access Credentials

AWS Access Keys and Secret Keys

GitHub Tokens

Kubernetes Kubeconfig file, Credentials Config

Digital Ocean Tokens

First Virtual Machine Through Terraform
 Revising the Basics of EC2
EC2 stands for Elastic Compute Cloud.

In-short, it's a name for a virtual server that you launch in AWS.

VM EC2 Instance
 Available Regions
Cloud providers offers multiple regions in which we can create our resource.

You need to decide the region in which Terraform would create the resource.
 Virtual Machine Configuration
A Virtual Machine would have it’s own set of configurations.

● CPU
● Memory
● Storage
● Operating System

While creating VM through Terraform, you will need to define these.

Providers and Resources
 Basics of Providers
Terraform supports multiple providers.

Depending on what type of infrastructure we want to launch, we have to use

appropriate providers accordingly.
 Learning 1 - Provider Plugins
A provider is a plugin that lets Terraform manage an external API.

When we run terraform init, plugins required for the provider are automatically
downloaded and saved locally to a .terraform directory.
 Learning 2 - Resource
Resource block describes one or more infrastructure objects

Example:

● resource aws_instance
● resource aws_alb
● resource iam_user
● resource digitalocean_droplet
 Learning 3 - Resource Blocks
A resource block declares a resource of a given type ("aws_instance") with a
given local name ("myec2").

Resource type and Name together serve as an identifier for a given resource
and so must be unique.

EC2 Instance Number 1 EC2 Instance Number 2

 Point to Note
You can only use the resource that are supported by a specific provider.

In the below example, provider of Azure is used with resource of aws_instance

 Important Question
The core concepts, standard syntax remains similar across all providers.

If you learn the basics, you should be able to work with all providers easily.
 Issues and Bugs with Providers
A provider that is maintained by HashiCorp does not mean it has no bugs.

It can happen that there are inconsistencies from your output and things
mentioned in documentation. You can raise issue at Provider page.
 Relax and Have a Meme Before Proceeding

knowledge portal
Provider Tiers
 Provider Maintainers
There are 3 primary type of provider tiers in Terraform.

Provider Tiers Description

Official Owned and Maintained by HashiCorp.

Partner Owned and Maintained by Technology Company that

maintains direct partnership with HashiCorp.

Community Owned and Maintained by Individual Contributors.

 Provider Namespace
Namespaces are used to help users identify the organization or publisher
responsible for the integration

Tier Description

Official hashicorp

Partner Third-party organization

e.g. mongodb/mongodbatlas

Community Maintainer’s individual or organization account, e.g.

DeviaVir/gsuite
 Important Learning
Terraform requires explicit source information for any providers that are not
HashiCorp-maintained, using a new syntax in the required_providers nested
block inside the terraform configuration block

HashiCorp Maintained

Non-HashiCorp Maintained
Terraform Destroy
 Learning to Destroy Resources
If you keep the infrastructure running, you will get charged for it.

Hence it is important for us to also know on how we can delete the infrastructure
resources created via terraform.

Terraform
 Approach 1 - Destroy ALL
terraform destroy allows us to destroy all the resource that are created within the
folder.

terraform destroy

Terraform
 Approach 2 - Destroy Some
terraform destroy with -target flag allows us to destroy specific resource.

terraform destroy - target aws_instance.myec2

Terraform
 Terraform Destroy with Target
The -target option can be used to focus Terraform's attention on only a subset of
resources.

Combination of : Resource Type + Local Resource Name

Resource Type Local Resource Name

aws_instance myec2

github_repository example
Desired & Current State
Terraform in detail
 Desired State
Terraform's primary function is to create, modify, and destroy infrastructure resources to
match the desired state described in a Terraform configuration

EC2 - t2.micro

knowledge portal
 Current State
Current state is the actual state of a resource that is currently deployed.

t2.medium

knowledge portal
 Important Pointer

Terraform tries to ensure that the deployed infrastructure is based on the desired state.

If there is a difference between the two, terraform plan presents a description of the
changes necessary to achieve the desired state.

knowledge portal
Provider Versioning
Terraform in detail
 Provider Architecture

Infrastructure
Provisioning

(API interactions)

do_droplet.tf Terraform Digital Ocean New Server

Provider

Digital Ocean

knowledge portal
 Overview of Provider Versioning
Provider plugins are released separately from Terraform itself.

They have different set of version numbers.

Version 1
Version 2

knowledge portal
 Explicitly Setting Provider Version
During terraform init, if version argument is not specified, the most recent provider will be
downloaded during initialization.

For production use, you should constrain the acceptable provider versions via configuration, to
ensure that new versions with breaking changes will not be automatically installed.
 Arguments for Specifying provider
There are multiple ways for specifying the version of a provider.

Version Number Arguments Description

>=1.0 Greater than equal to the version

<=1.0 Less than equal to the version

~>2.0 Any version in the 2.X range.

>=2.10,<=2.30 Any version between 2.10 and 2.30

knowledge portal
 Dependency Lock File
Terraform dependency lock file allows us to lock to a specific version of the provider.

If a particular provider already has a selection recorded in the lock file, Terraform will always
re-select that version for installation, even if a newer version has become available.

You can override that behavior by adding the -upgrade option when you run terraform init,
Terraform Refresh
 Understanding the Challenge
Terraform can create an infrastructure based on configuration you specified.

It can happen that the infrastructure gets modified manually.

t2.micro
EC2:

type: t2.micro
State File storage: 20
sg: default
 Understanding the Challenge
The terraform refresh command will check the latest state of your infrastructure
and update the state file accordingly.

terraform refresh
Scan real infra

t2.large
EC2:

type: t2.large
State File storage: 20
sg: default
 Points to Note

You shouldn't typically need to use this command, because Terraform

automatically performs the same refreshing actions as a part of creating a plan
in both the terraform plan and terraform apply commands.
 Understanding the Usage

The terraform refresh command is deprecated in newer version of terraform.

The -refresh-only option for terraform plan and terraform apply was introduced in
Terraform v0.15.4.
AWS Provider - Authentication Configuration
 Understanding the Basics
At this stage, we have been manually hardcoding the access / secret keys within
the provider block.

Although a working solution, but it is not optimal from security point of view.
 Better Way
We want our code to run successfully without hardcoding the secrets in the
provider block.
 Better Approach
The AWS Provider can source credentials and other settings from the shared
configuration and credentials files.
 Default Configurations
If shared files lines are not added to provider block, by default, Terraform will
locate these files at $HOME/.aws/config and $HOME/.aws/credentials on Linux
and macOS.

"%USERPROFILE%\.aws\config" and "%USERPROFILE%\.aws\credentials" on

Windows.
 AWS CLI
AWS CLI allows customers to manage AWS resources directly from CLI.

When you configure Access/Secret keys in AWS CLI, the location in which these
credentials are stored is the same default location that Terraform searches the
credentials from.

Create EC2 Instance

awscli AWS Platform

Lecture Format - Terraform Course
Terraform in detail
 Overview of the Format

We tend to use a different folder for each practical that we do in the course.

This allows us to be more systematic and allows easier revisit in-case required.

Lecture Name Folder Names

Create First EC2 Instance folder1

Tainting resource folder2

Conditional Expression folder3

knowledge portal
 Find the appropriate code from GitHub

Code in GitHub is arranged according to sections that are matched to the domains in the course.

Every section in GitHub has easy Readme file for quick navigation.

knowledge portal
 Destroy Resource After Practical

We know how to destroy resources by now

terraform destroy

After you have completed your practical, make sure you destroy the resource before moving to
the next practical.

This is easier if you are maintaining separate folder for each practical.

knowledge portal
 Relax and Have a Meme Before Proceeding

knowledge portal
Learning Scope - AWS Services for Terraform Course
 Understanding the Basics
AWS has more than 200 services available.
 Aim of the Course
Primary aim of this course is to master the core concepts of Terraform.

Terraform = Infrastructure as Code Tool.

To learn Terraform, we need to create infrastructure somewhere.

 Services that we Choose
Throughout the course, we use very basic AWS services to demonstrate
Terraform concepts.

● Virtual Machine (EC2)

● Firewall (Security Groups)

● AWS Users (IAM Users)

● IP Address (Elastic IP)

 Basics of These Services are Covered
We have 100,000+ students from different background who are learning
Terraform.

Some are AWS Pros, Some are from Azure/GCP, Some are students

To align everyone on same page, we also cover basics of the AWS service that
we use throughout the course.
 Example - Creating Firewall Through Terraform

1. Basics of Firewalls in AWS

2. Firewall Practical in AWS (GUI Console)

3. Creating Firewall Rules Through Terraform.

Basics of Firewalls
 Basics of Ports
A port acts as a endpoint of communication to identify a given application or
process on an Linux operating system

Opening 22 SSH

Opening 80 HTTPD

Internet Users

1.2.3.4
 Basics of Firewall
Firewall is a network security system that monitors and controls incoming and
outgoing network traffic based on predetermined security rules.

Connect to 22 SSH

Firewall
HTTPD

User from Internet

Deny connect to 22

Allow connect to 80
 Firewall in AWS
A security group acts as a virtual firewall for your instance to control inbound and
outbound traffic.

EC2
User from Internet

Deny connect to 22

Allow connect to 80
Sample Security Group with Rules
 Inbound and Outbound Rules
Firewalls control both inbound and outbound connections to and from the server.

EC2

Inbound Outbound

Allow 80 from 0.0.0.0/0 Allow 3306 to 172.31.10.50

Dealing with Documentation Code Updates - Terraform
 Understanding the Challenge
Occasionally in the newer version of Providers, you will see some changes in
the way you create a resource.

New Approach Old Approach

 Points to Note

Just because a better approach is recommended, does NOT always mean that
the older approach will stop working.

Organizations can continue to use the approach that suits best in it’s
environment.
 Switching to Older Provider Doc
You can always switch to the older version of provider documentation page to
understand the changes.
 Closing Pointers

For larger enterprises, it becomes difficult to upgrade their code base to the
newer approach that provider recommends.

In such case, they stick with the appropriate provider version that supports the
older approach of creating the resource.
Create Elastic IP with Terraform
 Basics of Elastic IP in AWS
An Elastic IP address is a static IPv4 address in AWS.

You can create it and associate it with EC2 instance.

52.30.40.50
52.30.40.50
 Aim of Today’s Video

We are going to use Terraform to generate Elastic IP resource in AWS.

Attributes
 Basics of Attributes
Each resource has its associated set of attributes.

Attributes are the fields in a resource that hold the values that end up in state.

Attributes Values

ID i-abcd

public_ip 52.74.32.50

private_ip 172.31.10.50

private_dns ip-172-31-10-50-.ec2.internal
 Points to Note
Each resource type has a predefined set of attributes determined by the
provider.
Cross-Resource Attribute References
 Typical Challenge
It can happen that in a single terraform file, you are defining two different
resources.

However Resource 2 might be dependent on some value of Resource 1.

Allow 443 from Elastic IP

Elastic IP Address
 Understanding The Workflow

Elastic IP

Allow 443 from 52.72.30.50

52.72.30.50
 Analyzing the Attributes of EIP
We have to find which attribute stores the Public IP associated with EIP
Resource.
 Referencing Attribute in Other Resource
We have to find a way in which attribute value of “public_ip” is referenced to the
cidr_ipv4 block of security group rule resource.

Elastic IP

Attribute Value

public_ip 52.72.52.72
 Cross Referencing Resource Attribute
Terraform allows us to reference the attribute of one resource to be used in a
different resource.

Overall syntax:

<RESOURCE TYPE>.<NAME>.<ATTRIBUTE>
 Cross Referencing Resource Attribute
We can specify the resource address with attribute for cross-referencing.

Elastic IP

Attribute Value

public_ip 52.72.52.72
 String Interpolation in Terraform
${...}): This syntax indicates that Terraform will replace the expression inside the
curly braces with its calculated value.
 Joke Time

Why did the Terraform attribute take a break?

...It was feeling over-referenced.

How did the Terraform attribute become a

detective?

...It followed the resource trail.

Output Values
 Understanding the Basics
Output values make information about your infrastructure available on the
command line, and can expose information for other Terraform configurations to
use.

Create EC2 and give me

it’s Public IP
Create EC2

Terraform

IP Of EC2: 172.32.10.50 Fetch Info of EC2

 Sample Example
Use-Case:

Create a Elastic IP (Public IP) resource in AWS and output the value of the EIP.
 Point to Note
Output values defined in Project A can be referenced from code in Project B as
well.

Fetch

Output Values

Ip = 54.146.20.28

TF Code
Project B

Project A
Terraform Variables
 Understanding the Challenge
Repeated static values in the code can create more work in the future.

Example: VPN IP needs to be whitelisted for 5 ports through Firewall Rules.

Port Number CIDR Block Description

80 101.0.62.210/32 VPN IP Whitelist

443 101.0.62.210/32 VPN IP Whitelist

22 101.0.62.210/32 VPN IP Whitelist

21 101.0.62.210/32 VPN IP Whitelist

8080 101.0.62.210/32 VPN IP Whitelist

Reference Screenshot

Firewall Rule 1

Firewall Rule 2
 Better Approach
A better solution would be to define repeated static value in one central place.

Key Value

vpn_ip 101.0.62.210/32

Central Location
 Basics of Variables
Terraform input variables are used to pass certain values from outside of the
configuration

Name Value

vpn_ip 101.0.62.210/32

app_port 8080

Variable File
 Benefits of Variables
1. Update important values in one central place instead of searching and
replacing them throughout your code, saving time and potential mistakes.

2. No need to touch the core Terraform configuration file. This can avoid
human mistakes while editing.
Variable Definitions File (TFVars)
 Understanding the Base

Managing variables in production environment is one of the very important

aspect to keep code clean and reusable.

HashiCorp recommends creating a separate file with name of *.tfvars to define

all variable value in a project.
 How Recommended Folder Structure Looks Like
1. Main Terraform Configuration File.

2. variables.tf file that defines all the variables.

3. terraform.tfvars file that defines value to all the variables.

Main Configuration File variables.tf File terraform.tfvars file

 Configuration for Different Environments
Organizations can have wide set of environments: Dev, Stage, Prod

Dev

tfvars file

Main Configuration File variables.tf file Prod

 Selecting tfvars File
If you have multiple variable definitions file (*.tfvars) file, you can manually define
the file to use during command line.
 Point to Note
If file name is terraform.tfvars → Terraform will automatically load values from it.

If file name is different like prod.tfvars → You have to explicitly define the file
during plan / apply operation.
Approach to Variable Assignment
 Understanding the Base
By default, whenever you define a variable, you must also set a value
associated with it.

Main Configuration File variables.tf

 Add a Value in CLI
If you have not defined a value for a variable, Terraform will ask you to input the
value in CLI Prompt when you run terraform plan / apply operation.
 Declaring Variable Values
When variables are declared in your configuration, they can be set in a number
of ways:

1. Variable Defaults.

2. Variable Definition File (*.tfvars)

3. Environment Variables

4. Setting Variables in the Command Line.

 Variable Defaults
You can set a default value for a variable.

If there is no value supplied, the default value will be taken.

 Variable Definition File (*.tfvars)

Variable Values can be defined in *.tfvars file.

 Setting Variable in Command Line
To specify individual variables on the command line, use the -var option when
running the terraform plan and terraform apply commands:
 Setting Variable through Environment Variables
Terraform searches the environment of its own process for environment
variables named TF_VAR_ followed by the name of a declared variable.
Variable Definition Precedence
 Understanding the Base
Values for a variable can be defined at multiple different places.

What if values for a variable are different?

 Simple Example
variable “instance_type” {}

1. Default Value is t2.micro

2. Terraform.tfvars value is “t2.small”

3. Environment Variable TF_VAR_instance_type = “t2.large”

Which value will Terraform take?

 Variable Definition Precedence
Terraform loads variables in the following order, with later sources taking
precedence over earlier ones:

1. Environment variables
2. The terraform.tfvars file, if present.
3. The terraform.tfvars.json file, if present.

4. Any *.auto.tfvars or *.auto.tfvars.json files, processed in lexical order of their

filenames.

5. Any -var and -var-file options on the command line

 Example 1

ENV Variable of TF_VAR_instance_type = “t2.micro”

Value in terraform.tfvars = “t2.large”

Final Result = “t2.large”

 Example 2

1. ENV Variable of TF_VAR_instance_type = “t2.micro”

2. Value in terraform.tfvars = “t2.large”

3. terraform plan -var="instance_type=m5.large"

Final Result = “m5.large”

Data Types for Variables
Terraform in detail
 Overview of Type Constraints

The type argument in a variable block allows you to restrict the type of value that will be accepted
as the value for a variable

variable "image_id" {
type = string
}

If no type constraint is set then a value of any type is accepted.

knowledge portal
 Example Use-Case
Every employee in Medium Corp is assigned a Identification Number.

Any resource that employee creates should be created with the name of the identification number
only.

variables.tf terraform.tfvars

variable “instance_name” {} instance_name=”john-123”

knowledge portal
 Example Use-Case
Every employee in Medium Corp is assigned a Identification Number.

Any EC2 instance that employee creates should be created using the identification number only.

variables.tf terraform.tfvars

variable “instance_name” { instance_name=”john-123”

type=number
}

knowledge portal
 Overview of Data Types
Type Keywords Description

string Sequence of Unicode characters representing some text, like "hello".

list Sequential list of values identified by their position. Starts with 0

[“mumbai” ,”singapore”, ”usa”]

map a group of values identified by named labels, like

{name = "Mabel", age = 52}.

number Example: 200

knowledge portal
Count Parameter
Terraform in detail
 Overview of Count Parameter

The count parameter on resources can simplify configurations and let you scale resources by
simply incrementing a number.

Let’s assume, you need to create two EC2 instances. One of the common approach is to define
two separate resource blocks for aws_instance.

knowledge portal
 Overview of Count Parameter

With count parameter, we can simply specify the count value and the resource can be scaled
accordingly.

knowledge portal
 Count Index

In resource blocks where count is set, an additional count object is available in expressions, so you
can modify the configuration of each instance.

This object has one attribute:

count.index — The distinct index number (starting with 0) corresponding to this instance.

knowledge portal
 Understanding Challenge with Count

With the below code, terraform will create 5 IAM users. But the problem is that all will have the
same name.

knowledge portal
 Understanding Challenge with Count

count.index allows us to fetch the index of each iteration in the loop.

knowledge portal
 Understanding Challenge with Default Count Index

Having a username like loadbalancer0, loadbalancer1 might not always be suitable.

Better names like dev-loadbalancer, stage-loadbalancer, prod-loadbalancer is better.

count.index can help in such scenario as well.

knowledge portal
Conditional Expression
Terraform in detail
 Overview of Conditional Expression

A conditional expression uses the value of a bool expression to select one of two values.

Syntax of Conditional expression:

condition ? true_val : false_val

If condition is true then the result is true_val. If condition is false then the result is false_val.

knowledge portal
 Example of Conditional Expression
Let’s assume that there are two resource blocks as part of terraform configuration.

Depending on the variable value, one of the resource blocks will run.

true

is- test

variable false

knowledge portal
Local Values
Terraform in detail
 Overview of Local Values

A local value assigns a name to an expression, allowing it to be used multiple times within a
module without repeating it.

knowledge portal
 Local Values Support for Expression
Local Values can be used for multiple different use-cases like having a conditional expression.

knowledge portal
 Important Pointers for Local Values

Local values can be helpful to avoid repeating the same values or expressions multiple times in a
configuration.

If overused they can also make a configuration hard to read by future maintainers by hiding the
actual values used

Use local values only in moderation, in situations where a single value or result is used in many
places and that value is likely to be changed in future.

knowledge portal
Terraform Functions
Terraform in detail
 Overview of Terraform Functions
The Terraform language includes a number of built-in functions that you can use to transform
and combine values.

The general syntax for function calls is a function name followed by comma-separated arguments
in parentheses:

function (argument1, argument2)

Example:

> max(5, 12, 9)

12

knowledge portal
 List of Available Functions
The Terraform language does not support user-defined functions, and so only the functions built
in to the language are available for use

● Numeric
● String
● Collection
● Encoding
● Filesystem
● Date and Time
● Hash and Crypto
● IP Network
● Type Conversion

knowledge portal
Data Sources
Terraform in detail
 Overview of Data Sources

Data sources allow data to be fetched or computed for use elsewhere in Terraform configuration.

EC2 Instance

Mumbai Region Singapore Region Tokyo Region

ami-1234 ami-5678 ami-9012

 Data Source Code
● Defined under the data block.
● Reads from a specific data source (aws_ami) and exports results under “app_ami”

knowledge portal
Debugging Terraform
Terraform in detail
 Overview of Debugging Terraform

Terraform has detailed logs which can be enabled by setting the TF_LOG environment variable
to any value.

You can set TF_LOG to one of the log levels TRACE, DEBUG, INFO, WARN or ERROR to
change the verbosity of the logs

knowledge portal
 Important Pointers

TRACE is the most verbose and it is the default if TF_LOG is set to something other than a log
level name.

To persist logged output you can set TF_LOG_PATH in order to force the log to always be
appended to a specific file when logging is enabled.

knowledge portal
Lecture Format - Terraform Course
Terraform in detail
 Overview of the Format

We tend to use a different folder for each practical that we do in the course.

This allows us to be more systematic and allows easier revisit in-case required.

Lecture Name Folder Names

Create First EC2 Instance folder1

Tainting resource folder2

Conditional Expression folder3

knowledge portal
 Find the appropriate code from GitHub

Code in GitHub is arranged according to sections that are matched to the domains in the course.

Every section in GitHub has easy Readme file for quick navigation.

knowledge portal
 Destroy Resource After Practical

We know how to destroy resources by now

terraform destroy

After you have completed your practical, make sure you destroy the resource before moving to
the next practical.

This is easier if you are maintaining separate folder for each practical.

knowledge portal
 Relax and Have a Meme Before Proceeding

knowledge portal
Terraform Format
Terraform in detail
 Importance of Readability

Anyone who is into programming knows the importance of formatting the code for readability.

The terraform fmt command is used to rewrite Terraform configuration files to take care of the
overall formatting.

knowledge portal
Before fmt

After fmt

knowledge portal
Terraform Validate
Terraform in detail
 Overview of Terraform Validate

Terraform Validate primarily checks whether a configuration is syntactically valid.

It can check various aspects including unsupported arguments, undeclared variables and others.

knowledge portal
Load Order & Semantics
Terraform in detail
 Understanding Semantics

Terraform generally loads all the configuration files within the directory specified in
alphabetical order.

The files loaded must end in either .tf or .tf.json to specify the format that is in use.

terraform-kplabs

web.tf app.tf sg.tf providers.tf

knowledge portal
Dynamic Block
Terraform In Depth
 Understanding the Challenge

In many of the use-cases, there are repeatable nested blocks that needs to be defined.

This can lead to a long code and it can be difficult to manage in a longer time.

knowledge portal
 Dynamic Blocks

Dynamic Block allows us to dynamically construct repeatable nested blocks which is supported
inside resource, data, provider, and provisioner blocks:

knowledge portal
 Iterators

The iterator argument (optional) sets the name of a temporary variable that represents the
current element of the complex value

If omitted, the name of the variable defaults to the label of the dynamic block ("ingress" in the
example above).

knowledge portal
Terraform Taint
 Understanding the Use-Case
You have created a new resource via Terraform.

Users have made a lot of manual changes (both infrastructure and inside the
server)

Two ways to deal with this: Import Changes to Terraform / Delete & Recreate
the resource

Lots of manual changes

Terraform Managed Resource

 Recreating the Resource
The -replace option with terraform apply to force Terraform to replace an object
even though there are no configuration changes that would require it.

terraform apply -replace="aws_instance.web"

Destroy

Create
 Points to Note

Similar kind of functionality was achieved using terraform taint command in older
versions of Terraform.

For Terraform v0.15.2 and later, HashiCorp recommend using the -replace
option with terraform apply
 Splat Expression

Terraform Expressions
 Overview of Spalat Expression
Splat Expression allows us to get a list of all the attributes.

knowledge portal
Terraform Graph

Terraform In Detail
 Overview of Graph
The terraform graph command is used to generate a visual representation of either a
configuration or execution plan

The output of terraform graph is in the DOT format, which can easily be converted to
an image.

knowledge portal
Saving Terraform Plan to a File

Terraform In Detail
 Terraform Plan File
The generated terraform plan can be saved to a specific path.

This plan can then be used with terraform apply to be certain that only the changes
shown in this plan are applied.

Example:

terraform plan -out=path

knowledge portal
Terraform Output
Terraform in detail
 Terraform Output

The terraform output command is used to extract the value of an output variable from the state
file.

knowledge portal
Terraform Settings
Terraform in detail
 Overview of Terraform Settings

The special terraform configuration block type is used to configure some behaviors of
Terraform itself, such as requiring a minimum Terraform version to apply your configuration.

Terraform settings are gathered together into terraform blocks:

knowledge portal
 Setting 1 - Terraform Version

The required_version setting accepts a version constraint string, which specifies which versions
of Terraform can be used with your configuration.

If the running version of Terraform doesn't match the constraints specified, Terraform will
produce an error and exit without taking any further actions.

knowledge portal
 Setting 2 - Provider Version

The required_providers block specifies all of the providers required by the current module,
mapping each local provider name to a source address and a version constraint.

knowledge portal
Dealing with Larger Infrastructure
Terraform in detail
 Challenges with Larger Infrastructure

When you have a larger infrastructure, you will face issue related to API limits for a provider.

5 EC2 Update state of each resource.

terraform plan

3 RDS

100 SG Rules

VPC Infra

infra.tf
 Dealing With Larger Infrastructure

Switch to smaller configuration were each can be applied independently.

terraform plan
5 EC2 ec2.tf
5 EC2

terraform plan
3 RDS rds.tf
3 RDS

100 SG Rules 100 SG Rules sg.tf

VPC Infra
VPC Infra vpc.tf
infra.tf
 Slow Down, My Man
We can prevent terraform from querying the current state during operations like terraform plan.

This can be achieved with the -refresh=false flag

 Specify the Target
The -target=resource flag can be used to target a specific resource.

Generally used as a means to operate on isolated portions of very large configurations

terraform plan -target=ec2

 Zipmap
Terraform Function
 Overview of Zipmap

The zipmap function constructs a map from a list of keys and a corresponding list of
values.

pineapple yellow
pineapple=yellow
orange orange
orange=orange
strawberry red zipmap
strawberry=red

List of Keys List of Values

knowledge portal
 Sample Output of Zipmap Function

knowledge portal
 Simple Use-Case
You are creating multiple IAM users.

You need output which contains direct mapping of IAM names and ARNs

knowledge portal
Comments in Terraform Code
Commenting the Code!
 Overview of Comments
A comment is a text note added to source code to provide explanatory information,
usually about the function of the code

knowledge portal
 Comments in Terraform
The Terraform language supports three different syntaxes for comments:

Type Description

# begins a single-line comment, ending at the end of the line.

// also begins a single-line comment, as an alternative to #.

/* and */ are start and end delimiters for a comment that might span over multiple lines.

knowledge portal
Resource Behavior and Meta-Argument
 Understanding the Basics
A resource block declares that you want a particular infrastructure object to exist
with the given settings
 How Terraform Applies a Configuration
Create resources that exist in the configuration but are not associated with a real
infrastructure object in the state.

Destroy resources that exist in the state but no longer exist in the configuration.

Update in-place resources whose arguments have changed.

Destroy and re-create resources whose arguments have changed but which
cannot be updated in-place due to remote API limitations.
 Understanding the Limitations
What happens if we want to change the default behavior?

Example: Some modification happened in Real Infrastructure object that is not

part of Terraform but you want to ignore those changes during terraform apply.

Name HelloWorld

Env Production
 Solution - Using Meta Arguments
Terraform allows us to include meta-argument within the resource block which
allows some details of this standard resource behavior to be customized on a
per-resource basis.

Inside resource block

 Different Meta-Arguments
Meta-Argument Description

depends_on Handle hidden resource or module dependencies that Terraform cannot

automatically infer.

count Accepts a whole number, and creates that many instances of the resource

for_each Accepts a map or a set of strings, and creates an instance for each item in that
map or set.

lifecycle Allows modification of the resource lifecycle.

provider Specifies which provider configuration to use for a resource, overriding

Terraform's default behavior of selecting one based on the resource type name
Meta Argument - LifeCycle
 Basics of Lifecycle Meta-Argument
Some details of the default resource behavior can be customized using the
special nested lifecycle block within a resource block body:
 Arguments Available
There are four argument available within lifecycle block.

Arguments Description

create_before_destroy New replacement object is created first, and the prior object is destroyed
after the replacement is created.

prevent_destroy Terraform to reject with an error any plan that would destroy the
infrastructure object associated with the resource

ignore_changes Ignore certain changes to the live resource that does not match the
configuration.

replace_triggered_by Replaces the resource when any of the referenced items change
 Replace Triggered By
Replaces the resource when any of the referenced items change.
Create Before Destroy Argument
 Understanding the Default Behavior
By default, when Terraform must change a resource argument that cannot be
updated in-place due to remote API limitations, Terraform will instead destroy the
existing object and then create a new replacement object with the new
configured arguments.

Destroy First

Changed AMI

Create Second
 Create Before Destroy Argument
The create_before_destroy meta-argument changes this behavior so that the
new replacement object is created first, and the prior object is destroyed after
the replacement is created.

Destroy Second

Changed AMI

Create First
 Join us in our Adventure

kplabs.in/chat

Be Awesome

kplabs.in/linkedin
LifeCycle - Prevent Destroy Argument
 Prevent Destroy Argument
This meta-argument, when set to true, will cause Terraform to reject with an
error any plan that would destroy the infrastructure object associated with the
resource, as long as the argument remains present in the configuration.
 Points to Note
This can be used as a measure of safety against the accidental replacement of
objects that may be costly to reproduce, such as database instances.

Since this argument must be present in configuration for the protection to apply,
note that this setting does not prevent the remote object from being destroyed if
the resource block were removed from configuration entirely.
LifeCycle - Ignore Changes Argument
 Ignore Changes
In cases where settings of a remote object is modified by processes outside of
Terraform, the Terraform would attempt to "fix" on the next run.

In order to change this behavior and ignore the manually applied change, we
can make use of ignore_changes argument under lifecycle.
 Points to Note
Instead of a list, the special keyword all may be used to instruct Terraform to
ignore all attributes, which means that Terraform can create and destroy the
remote object but will never propose updates to it.
Challenges with Count
Meta-Argument
 Revising the Basics
Resource are identified by the index value from the list.

Resource Address Infrastructure

aws_iam_user.iam[0] user-01

aws_iam_user.iam[1] user-02

aws_iam_user.iam[2] user-03

knowledge portal
 Challenge - 1

If the order of elements of index is changed, this can impact all of the other resources.

Resource Address Infrastructure

aws_iam_user.iam.[0] user-01

aws_iam_user.iam.[1] user-02

aws_iam_user.iam.[2] user-03

knowledge portal
 Important Note

If your resources are almost identical, count is appropriate.

If distinctive values are needed in the arguments, usage of for_each is recommended.

knowledge portal
Data Type - SET
Let’s Revise Programming
 Basics of List

● Lists are used to store multiple items in a single variable.

● List items are ordered, changeable, and allow duplicate values.
● List items are indexed, the first item has index [0], the second item has index [1] etc.

knowledge portal
 Understanding SET

● SET is used to store multiple items in a single variable.

● SET items are unordered and no duplicates allowed.

Allowed

Not-Allowed

knowledge portal
 toset Function

toset function will convert the list of values to SET

knowledge portal
 for_each
Meta-Argument
 Basics of For Each

for_each makes use of map/set as an index value of the created resource.

Resource Address Infrastructure

aws_iam_user.iam[user-01] user-01

aws_iam_user.iam[user-02] user-02

aws_iam_user.iam[user-03] user-03

knowledge portal
 Replication Count Challenge

If a new element is added, it will not affect the other resources.

Resource Address Infrastructure

aws_iam_user.iam[user-01] user-01

aws_iam_user.iam[user-02] user-02

aws_iam_user.iam[user-03] user-03

aws_iam_user.iam[user-0] user-0

knowledge portal
 The each object

In blocks where for_each is set, an additional each object is available.

This object has two attributes:

Each object Description

each.key The map key (or set member) corresponding to this instance.

each.value The map value corresponding to this instance

knowledge portal
 Relax and Have a Meme Before Proceeding

knowledge portal
Provisioners
Interesting Part is here
 Provisioners are interesting
Till now we have been working only on creation and destruction of infrastructure scenarios.

Let’s take an example:

We created a web-server EC2 instance with Terraform.

Problem: It is only an EC2 instance, it does not have any software installed.

What if we want a complete end to end solution ?

knowledge portal
 Welcome to Terraform Provisioners
Provisioners are used to execute scripts on a local or remote machine as part of resource creation
or destruction.

Let’s take an example:

On creation of Web-Server, execute a script which installs Nginx web-server.

Create EC2 Install Nginx

knowledge portal
Types of Provisioners
Interesting Part is here
 Provisioners are interesting
Terraform has capability to turn provisioners both at the time of resource creation as well as
destruction.

There are two main types of provisioners:

local-exec remote-exec

knowledge portal
 Local Exec Provisioners
local-exec provisioners allow us to invoke local executable after resource is created

Let’s take an example:

resource "aws_instance" "web" {

#…

provisioner "local-exec" {
command = "echo ${aws_instance.web.private_ip} >> private_ips.txt"
}
}

knowledge portal
 Remote Exec Provisioners
Remote-exec provisioners allow to invoke scripts directly on the remote server.

Let’s take an example:

resource "aws_instance" "web" {

#…

provisioner "remote-exec" {

…………………………...

}
}

knowledge portal
Provisioner Types
Terraform in detail
 Overview of Provisioner Types

There are two primary types of provisioners:

Types of Provisioners Description

Creation-Time Provisioner Creation-time provisioners are only run during creation,

not during updating or any other lifecycle

If a creation-time provisioner fails, the resource is

marked as tainted.

Destroy-Time Provisioner Destroy provisioners are run before the resource is

destroyed.

knowledge portal
 Destroy Time Provisioner

If when = destroy is specified, the provisioner will run when the resource it is defined within is
destroyed.

knowledge portal
 local-exec
Provisioners Time!
 Provisioners are interesting
local-exec provisioners allows us to invoke a local executable after the resource is created.

One of the most used approach of local-exec is to run ansible-playbooks on the created server
after the resource is created.

provisioner "local-exec" {
command = "echo ${aws_instance.web.private_ip} >> private_ips.txt"
}

knowledge portal
Failure Behavior - Provisioners
Terraform in detail
 Provisioner - Failure Behaviour

By default, provisioners that fail will also cause the terraform apply itself to fail.

The on_failure setting can be used to change this. The allowed values are:

Allowed Values Description

continue Ignore the error and continue with creation or destruction.

fail Raise an error and stop applying (the default behavior). If this is a
creation provisioner, taint the resource.
DRY Principle
Software Engineering
 Understanding DRY Approach
In software engineering, don't repeat yourself (DRY) is a principle of software development
aimed at reducing repetition of software patterns.

In the earlier lecture, we were making static content into variables so that there can be single
source of information.

knowledge portal
 We are repeating resource code
We do repeat multiple times various terraform resources for multiple projects.

Sample EC2 Resource

resource "aws_instance" "myweb" {

ami = "ami-bf5540df"

instance_type = "t2.micro"

security_groups = ["default"]

knowledge portal
 Centralized Structure
We can centralize the terraform resources and can call out from TF files whenever required.

module “source”

source

resource "aws_instance" "myweb" {

ami = "ami-bf5540df"

instance_type = "t2.micro"

security_groups = ["default"]

knowledge portal
Challenges with Modules
Software Engineering
 Challenges
One common need on infrastructure management is to build environments like staging,
production with similar setup but keeping environment variables different.

Staging instance_type = t2.micro

Production instance_type = m4.large

knowledge portal
 Challenges
When we use modules directly, the resources will be replica of code in the module.

Development t2.micro

source
Staging t2.small

resource "aws_instance" "myweb" {

ami = "ami-bf5540df" Production m4.large

instance_type = "t2.micro"

security_groups = ["default"]

knowledge portal
Using Locals with Modules
Terraform Function
 Understanding the Challenge
Using variables in Modules can also allow users to override the values which you might
not want.

Development instance_type = m5.xlarge

source
Staging instance_type = m5.2xlarge

resource "aws_instance" "myweb" {

ami = "ami-bf5540df" Production instance_type = t2.medium

instance_type = var.instance_type

knowledge portal
 Setting the Context
There can be many repetitive values in modules and this can make your code difficult to
maintain.

You can centralize these using variables but users will be able to override it.

Hardcoded Port Variable Port

knowledge portal
 Using Locals
Instead of variables, you can make use of locals to assign the values.

You can centralize these using variables but users will be able to override it.

knowledge portal
Module Outputs
Output the Data
 Revising Output Values
Output values make information about your infrastructure available on the command
line, and can expose information for other Terraform configurations to use.

knowledge portal
 Accessing Child Module Outputs
In a parent module, outputs of child modules are available in expressions as
module.<MODULE NAME>.<OUTPUT NAME>

knowledge portal
Terraform Registry
Terraform in detail
 Overview of Terraform Registry

The Terraform Registry is a repository of modules written by the Terraform community.

The registry can help you get started with Terraform more quickly

knowledge portal
 Module Location

If we intend to use a module, we need to define the path where the module files are present.

The module files can be stored in multiple locations, some of these include:

● Local Path
● GitHub
● Terraform Registry
● S3 Bucket
● HTTP URLs

knowledge portal
 Verified Modules in Terraform Registry

Within Terraform Registry, you can find verified modules that are maintained by various third
party vendors.

These modules are available for various resources like AWS VPC, RDS, ELB and others.

knowledge portal
 Verified Modules in Terraform Registry

Verified modules are reviewed by HashiCorp and actively maintained by contributors to stay
up-to-date and compatible with both Terraform and their respective providers.

The blue verification badge appears next to modules that are verified.

Module verification is currently a manual process restricted to a small group of trusted

HashiCorp partners.

knowledge portal
 Using Registry Module in Terraform

To use Terraform Registry module within the code, we can make use of the source argument that
contains the module path.

Below code references to the EC2 Instance module within terraform registry.

module "ec2-instance" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "2.13.0"
# insert the 10 required variables here
}

knowledge portal
 Publishing Modules
Publish Modules to Terraform Registry
 Overview of Publishing Modules
Anyone can publish and share modules on the Terraform Registry.

Published modules support versioning, automatically generate documentation, allow

browsing version histories, show examples and READMEs, and more.

knowledge portal
 Requirements for Publishing Module
Requirement Description

GitHub The module must be on GitHub and must be a public repo. This is only a
requirement for the public registry.

Named Module repositories must use this three-part name format

terraform-<PROVIDER>-<NAME>

Repository The GitHub repository description is used to populate the short description of
description the module.

Standard module The module must adhere to the standard module structure.
structure

x.y.z tags for releases The registry uses tags to identify module versions. Release tag names must
be a semantic version, which can optionally be prefixed with a v. For
example, v1.0.4 and 0.9.2

knowledge portal
 Standard Module Structure
The standard module structure is a file and directory layout that is recommend for
reusable modules distributed in separate repositories

knowledge portal
Terraform Workspace
Interesting topics
 Understanding WorkSpaces
Terraform allows us to have multiple workspaces, with each of the workspace we can have
different set of environment variables associated

Staging instance_type = t2.micro

Production instance_type = m4.large

Project A

knowledge portal
Team Collaboration
Terraform in detail
 Local Changes are not always good
Currently we have been working with terraform code locally.

Terraform Code

………
………

knowledge portal
 Centralized Management

Central Repository

Terraform Code
Terraform Code
………
………
………
………

knowledge portal
 Relax and Have a Meme Before Proceeding

knowledge portal
Terraform Module Sources
Terraform in detail
 Supported Module Sources

The source argument in a module block tells Terraform where to find the source code for the
desired child module.

● Local paths
● Terraform Registry
● GitHub
● Bitbucket
● Generic Git, Mercurial repositories
● HTTP URLs
● S3 buckets
● GCS buckets

knowledge portal
 Local Path

A local path must begin with either ./ or ../ to indicate that a local path is intended.

knowledge portal
 Git Module Source
Arbitrary Git repositories can be used by prefixing the address with the special git::
prefix.

After this prefix, any valid Git URL can be specified to select one of the protocols
supported by Git.

knowledge portal
 Referencing to a Branch
By default, Terraform will clone and use the default branch (referenced by HEAD) in
the selected repository.

You can override this using the ref argument:

.
The value of the ref argument can be any reference that would be accepted by the git
checkout command, including branch and tag names.

knowledge portal
Terraform & GitIgnore
Terraform in detail
 Overview of gitignore

The .gitignore file is a text file that tells Git which files or folders to ignore in a project.

.gitignore

conf/

*.artifacts

credentials

knowledge portal
 Terraform and .gitignore

Depending on the environments, it is recommended to avoid committing certain files to GIT.

Files to Ignore Description

.terraform This file will be recreated when terraform init is run.

terraform.tfvars Likely to contain sensitive data like usernames/passwords and secrets.

terraform.tfstate Should be stored in the remote side.

crash.log If terraform crashes, the logs are stored to a file named crash.log

knowledge portal
Terraform Backend
Terraform in detail
 Basics of Backends
Backends primarily determine where Terraform stores its state.

By default, Terraform implicitly uses a backend called local to store state as a local file on disk.

demo.tf
terraform.tfstate

knowledge portal
 Challenge with Local Backend
Nowadays Terraform project is handled and collaborated by an entire team.

Storing the state file in the local laptop will not allow collaboration.

knowledge portal
 Ideal Architecture
Following describes one of the recommended architectures:

1. The Terraform Code is stored in Git Repository.

2. The State file is stored in a Central backend.

TF files Central Git Repo

terraform.tfstate
Project Collaborators

Central Backend

knowledge portal
 Backends Supported in Terraform

Terraform supports multiple backends that allows remote service related operations.

Some of the popular backends include:

● S3
● Consul
● Azurerm
● Kubernetes
● HTTP
● ETCD

knowledge portal
 Important Note
Accessing state in a remote service generally requires some kind of access credentials

Some backends act like plain "remote disks" for state files; others support locking the state while
operations are being performed, which helps prevent conflicts and inconsistencies.

Store State File

Terraform User S3 Bucket

Authenticate First

knowledge portal
State Locking
Let’s Lock the State
 Understanding State Lock
Whenever you are performing write operation, terraform would lock the state file.

This is very important as otherwise during your ongoing terraform apply operations, if others
also try for the same, it can corrupt your state file.

knowledge portal
 Basic Working

terraform apply
User 1

State File

User 2 terraform destroy

Hold on Dude! State is locked

knowledge portal
 Important Note

State locking happens automatically on all operations that could write state. You won't see any
message that it is happening

If state locking fails, Terraform will not continue

Not all backends support locking. The documentation for each backend includes details on
whether it supports locking or not.

knowledge portal
 Force Unlocking State
Terraform has a force-unlock command to manually unlock the state if unlocking failed.

If you unlock the state when someone else is holding the lock it could cause multiple writers.

Force unlock should only be used to unlock your own lock in the situation where automatic
unlocking failed.

knowledge portal
State Locking in S3 Backend
Back to Providers
 State Locking in S3
By default, S3 does not support State Locking functionality.

You need to make use of DynamoDB table to achieve state locking functionality.

terraform.tfstate S3 Bucket

State Lock DynamoDB

knowledge portal
Terraform State Management
Advanced State Management
 Overview of State Modification

As your Terraform usage becomes more advanced, there are some cases where you may need to
modify the Terraform state.

It is important to never modify the state file directly. Instead, make use of terraform state
command.

knowledge portal
 Overview of State Modification

There are multiple sub-commands that can be used with terraform state, these include:

State Sub Command Description

list List resources within terraform state file.

mv Moves item with terraform state.

pull Manually download and output the state from remote state.

push Manually upload a local state file to remote state.

rm Remove items from the Terraform state

show Show the attributes of a single resource in the state.

knowledge portal
 Sub Command - List

The terraform state list command is used to list resources within a Terraform state.

knowledge portal
 Sub Command - Move
The terraform state mv command is used to move items in a Terraform state.

This command is used in many cases in which you want to rename an existing resource without
destroying and recreating it.

Due to the destructive nature of this command, this command will output a backup copy of the
state prior to saving any changes

Overall Syntax:

terraform state mv [options] SOURCE DESTINATION

knowledge portal
 Sub Command - Pull

The terraform state pull command is used to manually download and output the state from
remote state.

This is useful for reading values out of state (potentially pairing this command with something
like jq).

knowledge portal
 Sub Command - Push

The terraform state push command is used to manually upload a local state file to remote state.

This command should rarely be used.

knowledge portal
 Sub Command - Remove

The terraform state rm command is used to remove items from the Terraform state.

Items removed from the Terraform state are not physically destroyed.

Items removed from the Terraform state are only no longer managed by Terraform

For example, if you remove an AWS instance from the state, the AWS instance will continue
running, but terraform plan will no longer see that instance.

knowledge portal
 Sub Command - Show

The terraform state show command is used to show the attributes of a single resource in the
Terraform state.

knowledge portal
Connecting Remote States
Terraform in detail
 Basics of Terraform Remote State
The terraform_remote_state data source retrieves the root module output values from some
other Terraform configuration, using the latest state snapshot from the remote backend.

Output Values
Remote State
Project 1 172.31.0.5
Public IPs

172.31.0.6
S3 Bucket

Fetch Output Values and Whitelist

Project 2 Security Group

knowledge portal
Step 1 - Create a Project with Output Values & S3 Backend

knowledge portal
 Step 2 - Reference Output Values from Different Project

knowledge portal
Terraform Import
 Typical Challenge
It can happen that all the resources in an organization are created manually.

Organization now wants to start using Terraform and manage these resources
via Terraform.

Manually Created
 Earlier Approach
In the older approach, Terraform import would create the state file associated
with the resources running in your environment.

Users still had to write the tf files from scratch.

s3.tf
terraform import
terraform.tfstate create manually

ec2.tf

Manually Created
 Newer Approach
In the newer approach, terraform import can automatically create the terraform
configuration files for the resources you want to import.

resources.tf
Terraform Import

terraform.tfstate

Manually Created
 Point to Note

Terraform 1.5 introduces automatic code generation for imported resources.

This dramatically reduces the amount of time you need to spend writing code to
match the imported

This feature is not available in the older version of Terraform.

Provider Configuration
Terraform in detail
 Single Provider Multiple Configuration
Till now, we have been hardcoding the aws-region parameter within the providers.tf

This means that resources would be created in the region specified in the providers.tf file.

resource “myec201” us-east-1

resource “myec201” ap-south-1

knowledge portal
 Single Provider Multiple Configuration

resource “myec201” Account 01

resource “myec201” Account 02

knowledge portal
Terraform with STS
Terraform in detail
 Definitive Use-Case

knowledge portal
Sensitive Parameter
Terraform Security
 Overview of Sensitive Parameter

With organization managing their entire infrastructure in terraform, it is likely that you will see
some sensitive information embedded in the code.

When working with a field that contains information likely to be considered sensitive, it is best to
set the Sensitive property on its schema to true

knowledge portal
 Overview of Sensitive Parameter

Setting the sensitive to “true” will prevent the field's values from showing up in CLI output and
in Terraform Cloud

It will not encrypt or obscure the value in the state, however.

knowledge portal
 Overview of Vault
HashiCorp Certified: Vault Associate
 Let’s get started
HashiCorp Vault allows organizations to securely store secrets like tokens, passwords, certificates
along with access management for protecting secrets.

One of the common challenges nowadays in an organization is “Secrets Management”

Secrets can include, database passwords, AWS access/secret keys, API Tokens, encryption keys
and others.
 Dynamic Secrets

knowledge portal
 Life Becomes Easier
Once Vault is integrated with multiple backends, your life will become much easier and you can
focus more on the right work.

Major aspect related to Access Management can be taken over by vault.

knowledge portal
Vault Provider
Back to Providers
 Vault Provider
The Vault provider allows Terraform to read from, write to, and configure HashiCorp
Vault.

Inject in Terraform
admin
password123

db_creds

Vault

knowledge portal
 Important Note

Interacting with Vault from Terraform causes any secrets that you read and write to be
persisted in both Terraform's state file.

knowledge portal
Terraform Cloud
Terraform in detail
 Overview of Terraform Cloud
Terraform Cloud manages Terraform runs in a consistent and reliable environment with various
features like access controls, private registry for sharing modules, policy controls and others.

knowledge portal
 Sentinel
Terraform Cloud In Detail
 Overview of the Sentinel
Sentinel is a policy-as-code framework integrated with the HashiCorp Enterprise products.

It enables fine-grained, logic-based policy decisions, and can be extended to use information
from external sources.

Note: Sentinel policies are paid feature

terraform plan sentinel checks terraform apply

knowledge portal
 High Level Structure

Policy Policy Sets Workspace

Block EC2 without tags

knowledge portal
Terraform Backend
Terraform in detail
 Basics of Backends
Backends primarily determine where Terraform stores its state.

By default, Terraform implicitly uses a backend called local to store state as a local file on disk.

demo.tf
terraform.tfstate

knowledge portal
 Challenge with Local Backend
Nowadays Terraform project is handled and collaborated by an entire team.

Storing the state file in the local laptop will not allow collaboration.

knowledge portal
 Ideal Architecture
Following describes one of the recommended architectures:

1. The Terraform Code is stored in Git Repository.

2. The State file is stored in a Central backend.

TF files Central Git Repo

terraform.tfstate
Project Collaborators

Central Backend

knowledge portal
 Backends Supported in Terraform

Terraform supports multiple backends that allows remote service related operations.

Some of the popular backends include:

● S3
● Consul
● Azurerm
● Kubernetes
● HTTP
● ETCD

knowledge portal
 Important Note
Accessing state in a remote service generally requires some kind of access credentials

Some backends act like plain "remote disks" for state files; others support locking the state while
operations are being performed, which helps prevent conflicts and inconsistencies.

Store State File

Terraform User S3 Bucket

Authenticate First

knowledge portal
Air Gapped Environments
Installation Methods
 Understanding Concept of Air Gap
An air gap is a network security measure employed to ensure that a secure computer network
is physically isolated from unsecured networks, such as the public Internet.

Internet Gateway Internal Router

Internet Connectivity Air Gapped System

knowledge portal
 Usage of Air Gapped Systems

Air Gapped Environments are used in various areas. Some of these include:

● Military/governmental computer networks/systems

● Financial computer systems, such as stock exchanges

● Industrial control systems, such as SCADA in Oil & Gas fields

knowledge portal
 Terraform Enterprise Installation Methods
Terraform Enterprise installs using either an online or air gapped method and as the
names infer, one requires internet connectivity, the other does not

Air Gap Install

Isolated Server
Terraform Enterprise

knowledge portal
knowledge portal
knowledge portal
 Relax and Have a Meme Before Proceeding

knowledge portal
Terraform Challenges
 Key Observations
At this stage, we have been learning core concepts of Terraform step by step.

Whenever learning a new technology, small set of practical projects are always
useful to grasp the practical aspects of a technology.
 Introducing Terraform Challenges
With Terraform Challenges, we aim to reduce the gap between learning and
gaining practical experience.

Terraform Master
 About the Challenges
Each Challenge will test you in different areas of Terraform that will help you gain
some kind of hands-on experience.

Troubleshoot Secure

Optimize Analyze

Awesome Students
Terraform
 Workflow Steps
We will have multiple sets of challenges.

After each challenge video, we will have a Solution Hints video and then the
Practical Solution video.

Challenge - 1 Solution Hints Practical Solution

Terraform Challenge 1
 Understanding the Challenge
A Developer at Sample Small Corp had created a Terraform File for creating
certain resources.

The code was written a few years back based on the old Terraform version.
 What you need to do?
1. Create Infrastructure using the provided code (without modifications).

2. Verify if the code works in the latest version of Terraform and Provider .

3. Modify and Fix the code so that it works with latest version of Terraform.

4. Feel free to edit the code as you like.

TF Challenge 1 - Solution Discussion and Hints
 Hint 1 - Create Infrastructure with Base Code
Based on the initial code given to you, use appropriate version of binaries to
ensure infrastructure gets created successfully.
 Hint 2 - Access/Secret Keys
There are hardcoded AWS Access/Secret keys with the code.

This MUST be be fixed.

 Hint 3 - Provider Block
Provider Block is used to define provider version along with 3rd party providers.

Instead, use the new required_provider block to define provider and constraints.
 Hint 4 - Terraform Core Version Requirement

Since the challenge states that latest version of Terraform should be used, you
can plan to remove the required_version block from the code.
 Hint 5 - Code Upgrade
Does the resource block of “aws_eip” work with the latest version of Terraform?

It can happen that latest AWS provider requires some changes in the aws_eip
resource block. Incorporate these changes to ensure EIP gets created.
 Join us in our Adventure

kplabs.in/chat

Be Awesome

kplabs.in/linkedin
Terraform Challenge 2
 Understanding the Challenge
A sample code has been provided to you that creates certain resources.

You are required to optimize the code following the Best Practices.
 Conditions to Meet
1. Ensure the code is working and resource gets created.

2. Do NOT delete the existing terraform.lock.hcl file. File is free to be modified

based on requirements.

3. Demonstrate ability to modify variable “splunk” from 8088 to 8089 without

modifying the Terraform code.
TF Challenge 2 - Solution Discussion and Hints
 Hint 1 - Indentation
Indentation issues are present in the code.

Make sure that code is properly indented.

 Hint 2 - Using Variables and TFVars
Many values are hard-coded as part of the code.

This makes it difficult to modify if code base becomes larger.

 Hint 3 - Using Tags
It is important that resources are properly tagged

This will make it easier to identify the resource among all others.
 Hint 4 - Variable Precedence

Consider using appropriate variable precedence to override variables from

Terraform code.
 Hint 5 - Right Folder Structure

Having right naming convention for files is important.

Bad Structure: Everything in one single file named main.tf

Good Structure: providers.tf , variables.tf , ec2.tf and so on.

Terraform Challenge 3
 Understanding the Requirements
You will be provided with a variable named instance_config

The variable type is map.

 Conditions to Meet

1. Based on the values specified in map, EC2 instances should be created

accordingly.

2. If key/value is removed from map, EC2 instances should be destroyed

accordingly.
TF Challenge 3 - Hints
 Hint 1 - Loops
The requirement indicates that based on key/value specified in map, the
resources should be created and destroyed accordingly.

We need to use some kind of loops to achieve this.

 Hint 2 - for_each

If a resource block includes a for_each argument whose value is a map or a set

of strings, Terraform creates one instance for each member of that map or set.
Terraform Challenge 4
 Requirement - 1
Clients wants a code that can create IAM user in AWS account with following
syntax:

admin-user-{account-number-of-aws}

admin-user-12345
AWS: 12345

admin-user-67890
AWS: 67890
 Requirement - 2
Client wants to have a logic that will show names of ALL users in AWS account
in the output.

AWS Account
 Requirement - 3
Along with list of users in AWS, client also wants Terraform to show Total number
of users in AWS.

3 Users

AWS Account
TF Challenge 4 - Solution Hints
 Hint 1 - Data Sources

Data Sources allows us to dynamically fetch information from the infrastructure

resource or other state backends.

You can try to dynamically fetch information like AWS Account ID, User names
using Data Sources.
 Hint 2 - Functions

To calculate number of users is outside scope of Data Source.

You need to make use of Terraform Function that can calculate total number of
users and output it.
 Join us in our Adventure

kplabs.in/chat

Be Awesome

kplabs.in/linkedin
Overview of HashiCorp Exams
Let’s Get Certified!
 Overview of HashiCorp Associate Exams
Overview of the basic exam related information.

Assessment Type Description

Type of Exams Multiple Choice

Format Online Proctored

Duration 1 hour

Questions 57

Price 70.50 USD + Taxes

Language English

Expiration 2 years

knowledge portal
 Multiple Choice

This includes various sub-formats, including:

● True or False
● Multiple Choice
● Fill in the blank

knowledge portal
 Delta Type of Question
Example 1:

Demo Software stores information in which type of backend?

knowledge portal
 Format - Online Proctored

Important Rules to be followed:

● You are alone in the room

● Your desk and work area are clear
● You are connected to a power source
● No phones or headphones
● No dual monitors
● No leaving your seat
● No talking
● Webcam, speakers, and microphone must remain on throughout the test.
● The proctor must be able to see you for the duration of the test.

knowledge portal
 My Experience - Before Room

knowledge portal
 My Experience - After Room

knowledge portal
 My Experience - My Desk

knowledge portal
 Registration Process

The high-level steps for registering for the exams are as follows:

1. Login to the HashiCorp Certification Page.

2. Register for Exams.
3. Check System Requirements
4. Download PSI Software
5. Best of Luck & Good Luck!

knowledge portal
 Make sure to complete system check.

knowledge portal
 Registration Process

knowledge portal
 Registration Process

knowledge portal
 Registration Process

knowledge portal
 Registration Process

knowledge portal
 Registration Process

knowledge portal
Important Pointers for Exams - 1
Let’s get Certified
 Terraform Providers

A provider is responsible for understanding API interactions and exposing resources.

Most of the available providers correspond to one cloud or on-premises infrastructure platform,
and offer resource types that correspond to each of the features of that platform.

You can explicitly set a specific version of the provider within the provider block.

To upgrade to the latest acceptable version of each provider, run terraform init -upgrade

knowledge portal
 Provider Architecture

Infrastructure
Provisioning

(API interactions)

do_droplet.tf Terraform Digital Ocean New Dropet

Provider

Digital Ocean

knowledge portal
 Terraform Providers - Part 2
You can have multiple provider instance with the help of alias

provider "aws" {
region = "us-east-1"
}

provider "aws" {
alias = "west"
region = "us-west-2"
}

The provider block without alias set is known as the default provider configuration. When
an alias is set, it creates an additional provider configuration.
knowledge portal
 Terraform Init
The terraform init command is used to initialize a working directory containing Terraform
configuration files.

During init, the configuration is searched for module blocks, and the source code for referenced
modules is retrieved from the locations given in their source arguments.
Terraform must initialize the provider before it can be used.

Initialization downloads and installs the provider's plugin so that it can later be executed.

It will not create any sample files like example.tf

knowledge portal
 Terraform Plan

The terraform plan command is used to create an execution plan.

It will not modify things in infrastructure.

Terraform performs a refresh, unless explicitly disabled, and then determines what actions are
necessary to achieve the desired state specified in the configuration files.

This command is a convenient way to check whether the execution plan for a set of changes
matches your expectations without making any changes to real resources or to the state.

knowledge portal
 Terraform Apply

The terraform apply command is used to apply the changes required to reach the desired state of
the configuration.

Terraform apply will also write data to the terraform.tfstate file.

Once apply is completed, resources are immediately available.

knowledge portal
 Terraform Refresh

The terraform refresh command is used to reconcile the state Terraform knows about (via its
state file) with the real-world infrastructure.

This does not modify infrastructure but does modify the state file.

knowledge portal
 Terraform Destroy

The terraform destroy command is used to destroy the Terraform-managed infrastructure.

terraform destroy command is not the only command through which infrastructure can be
destroyed.

knowledge portal
 Terraform Format

The terraform fmt command is used to rewrite Terraform configuration files to a canonical
format and style.

For use-case, where the all configuration written by team members needs to have a proper style of
code, terraform fmt can be used.

knowledge portal
 Terraform Validate
The terraform validate command validates the configuration files in a directory.

Validate runs checks that verify whether a configuration is syntactically valid and thus primarily
useful for general verification of reusable modules, including the correctness of attribute names
and value types.

It is safe to run this command automatically, for example, as a post-save check in a text editor or
as a test step for a reusable module in a CI system. It can run before terraform plan.

Validation requires an initialized working directory with any referenced plugins and modules
installed

knowledge portal
 Terraform Provisioners
Provisioners can be used to model specific actions on the local machine or on a remote machine
in order to prepare servers or other infrastructure objects for service.

Provisioners should only be used as a last resort. For most common situations, there are better
alternatives.

● Provisioners are inside the resource block.

● Have an overview of local and remote provisioner

knowledge portal
Important Pointers for Exams - 2
Let’s get Certified
 Overview of Debugging Terraform

Terraform has detailed logs that can be enabled by setting the TF_LOG environment variable to
any value.

You can set TF_LOG to one of the log levels TRACE, DEBUG, INFO, WARN or ERROR to
change the verbosity of the logs.

Example:

TF_LOG=TRACE

To persist logged output, you can set TF_LOG_PATH

knowledge portal
 Terraform Import
Terraform is able to import existing infrastructure.

This allows you take resources that you've created by some other means and bring it under
Terraform management.

The current implementation of Terraform import can only import resources into the state. It
does not generate configuration.

Because of this, prior to running terraform import, it is necessary to write a resource

configuration block manually for the resource, to which the imported object will be mapped.

terraform import aws_instance.myec2 instance-id

knowledge portal
 Local Values

A local value assigns a name to an expression, allowing it to be used multiple times within a
module without repeating it.

The expression of a local value can refer to other locals, but as usual reference cycles are not
allowed. That is, a local cannot refer to itself or to a variable that refers (directly or indirectly)
back to it.

It's recommended to group together logically-related local values into a single block, particularly
if they depend on each other.

knowledge portal
 Overview of Data Types
Type Keywords Description

string Sequence of Unicode characters representing some text, like "hello".

list Sequential list of values identified by their position. Starts with 0

[“mumbai” ,”singapore”, ”usa”]

map a group of values identified by named labels, like

{name = "Mabel", age = 52}.

number Example: 200

knowledge portal
 Terraform WorkSpaces
Terraform allows us to have multiple workspaces; with each of the workspaces, we can have a
different set of environment variables associated.

Workspaces allow multiple state files of a single configuration.

knowledge portal
 Terraform Modules
We can centralize the terraform resources and can call out from TF files whenever required.

module “source”

source

resource "aws_instance" "myweb" {

ami = "ami-bf5540df"

instance_type = "t2.micro"

security_groups = ["default"]

knowledge portal
 Terraform Modules - ROOT and Child

Every Terraform configuration has at least one module, known as its root module, which consists
of the resources defined in the .tf files in the main working directory.

A module can call other modules, which lets you include the child module's resources into the
configuration in a concise way.

A module that includes a module block like this is the calling module of the child module.
 Module - Accessing Output Values

The resources defined in a module are encapsulated, so the calling module cannot access their
attributes directly.

However, the child module can declare output values to selectively export certain values to be
accessed by the calling module.

A module includes a module block like this is the calling module of the child module.
 Suppressing Values in CLI Output

An output can be marked as containing sensitive material using the optional sensitive argument:

Setting an output value in the root module as sensitive prevents Terraform from showing its value
in the list of outputs at the end of terraform apply

Sensitive output values are still recorded in the state, and so will be visible to anyone who is able
to access the state data.
 Module Versions

It is recommended to explicitly constraining the acceptable version numbers for each external
module to avoid unexpected or unwanted changes.

Version constraints are supported only for modules installed from a module registry, such as the
Terraform Registry or Terraform Cloud's private module registry.
 Terraform Registry

The Terraform Registry is integrated directly into Terraform.

The syntax for referencing a registry module is

<NAMESPACE>/<NAME>/<PROVIDER>.

For example: hashicorp/consul/aws.

 Private Registry for Module Sources
You can also use modules from a private registry, like the one provided by Terraform Cloud.

Private registry modules have source strings of the following form:

<HOSTNAME>/<NAMESPACE>/<NAME>/<PROVIDER>.

This is the same format as the public registry, but with an added hostname prefix.

While fetching a module, having a version is required.

Important Pointers for Exams - 3
Let’s get Certified
 Terraform Functions

The Terraform language includes a number of built-in functions that you can use to transform
and combine values.

> max(5, 12, 9)

12

The Terraform language does not support user-defined functions, and so only the functions
built into the language are available for use

Be aware of basic functions like element, lookup.

knowledge portal
 Count and Count Index

The count parameter on resources can simplify configurations and let you scale resources by
simply incrementing a number.

In resource blocks where the count is set, an additional count object (count.index) is available in
expressions, so that you can modify the configuration of each instance.

knowledge portal
 Find the Issue - Use-Case

You can expect use-case with terraform code, and you have to find what should be removed as
part of Terraform best practice.

terraform {
backend "s3" {
bucket = "mybucket"
key = "path/to/my/key"
region = "us-east-1"
access_key = 1234
aecret_key = 1234567890
}
}

knowledge portal
 Terraform Lock

If supported by your backend, Terraform will lock your state for all operations that could write
state.

Terraform has a force-unlock command to manually unlock the state if unlocking failed.

knowledge portal
 Use-Case - Resources Deleted Out of Terraform

You have created an EC2 instance. Someone has modified the EC2 instance manually. What will
happen if you do terraform plan yet again?

1. Someone has changed EC2 instance type from t2.micro to t2.large?

2. Someone has terminated the EC2 instance.

Answer 1. Terraform’s current state will have t2.large, and the desired state is t2.micro. It will try
to change back instance type to t2.micro.

Answer 2. Terraform will create a new EC2 instance.

knowledge portal
 Resource Block

Each resource block describes one or more infrastructure objects, such as virtual networks,
compute instances, or higher-level components such as DNS records.

A resource block declares a resource of a given type ("aws_instance") with a given local name
("web").

knowledge portal
 Sentinel
Sentinel is an embedded policy-as-code framework integrated with the HashiCorp Enterprise
products.

Can be used for various use-cases like:

● Verify if EC2 instance has tags.

● Verify if the S3 bucket has encryption enabled.

terraform plan sentinel checks terraform apply

knowledge portal
 Sensitive Data in State File
If you manage any sensitive data with Terraform (like database passwords, user passwords, or
private keys), treat the state itself as sensitive data.

Approaches in such a scenario:

Terraform Cloud always encrypts the state at rest and protects it with TLS in transit. Terraform
Cloud also knows the identity of the user requesting state and maintains a history of state
changes.

The S3 backend supports encryption at rest when the encrypt option is enabled.

knowledge portal
 Dealing with Credentials in Config

Hard-coding credentials into any Terraform configuration are not recommended, and risks the
secret leakage should this file ever be committed to a public version control system.

You can store the credentials outside of terraform configuration.

Storing credentials as part of environment variables is also a much better approach than hard
coding it in the system.

knowledge portal
 Remote Backend for Terraform Cloud

The remote backend stores Terraform state and may be used to run operations in Terraform
Cloud.

When using full remote operations, operations like terraform plan or terraform apply can be
executed in Terraform Cloud's run environment, with log output streaming to the local terminal.

knowledge portal
 Miscellaneous Pointers

Terraform does not require go as a prerequisite.

It works well in Windows, Linux, MAC.

Windows Server is not mandatory.

knowledge portal
Important Pointers for Exams - 4
Let’s get Certified
 Terraform Graph
The terraform graph command is used to generate a visual representation of either a
configuration or execution plan

The output of terraform graph is in the DOT format, which can easily be converted to
an image.

knowledge portal
 Splat Expressions
Splat Expression allows us to get a list of all the attributes.

knowledge portal
 Terraform Terminologies

aws_instance Resource Type

example Local name for the resource

ami Argument Name

abc123 Argument value

knowledge portal
 Provider Configuration

Provider Configuration block is not mandatory for all the terraform configuration.

knowledge portal
 Terraform Output

The terraform output command is used to extract the value of an output variable from the state
file.

knowledge portal
 Terraform Unlock

If supported by your backend, Terraform will lock your state for all operations that could write
state.

Not all backends supports locking functionality.

Terraform has a force-unlock command to manually unlock the state if unlocking failed.

terraform force-unlock LOCK_ID [DIR]

knowledge portal
 Miscellaneous Pointers - 1
There are three primary benefits of Infrastructure as Code tools:

Automation, Versioning, and Reusability.

Various IAC Tools Available in the market:

● Terraform
● CloudFormation
● Azure Resource Manager
● Google Cloud Deployment Manager

knowledge portal
 Miscellaneous Pointers - 2

Sentinel is a proactive service.

Terraform Refresh does not modify the infrastructure but it modifies the state file.

Slice Function is not part of the string function. Others like join, split, chomp are part of it.

It is not mandatory to include the module version argument while pulling the code from
terraform registry.

knowledge portal
 Miscellaneous Pointers - 3

Overuse of dynamic blocks can make configuration hard to read and maintain.

Terraform Apply can change, destroy and provision resources but cannot import any resource.

knowledge portal
 Join us in our Adventure

kplabs.in/twitter

Be Awesome
kplabs.in/linkedin

instructors@kplabs.in
Important Pointers for Exams - 5
Let’s get Certified
 Terraform Enterprise & Terraform Cloud
Terraform Enterprise provides several added advantage compared to Terraform Cloud.

Some of these include:

● Single Sign-On
● Auditing
● Private Data Center Networking
● Clustering

Team & Governance features are not available for Terraform Cloud Free (Paid)

knowledge portal
 Variables with undefined values
If you have variables with undefined values, it will not directly result in an error.

Terraform will ask you to supply the value associated with them.

Example Code:

variable custom_var { }

knowledge portal
 Environment Variables
Environment variables can be used to set variables.

The environment variables must be in the format TF_VAR_name

knowledge portal
 Structural Data Types
A structural type allows multiple values of several distinct types to be grouped together
as a single value.

List contains multiple values of same type while object can contain multiple values of
different type.
Structural Type Description

object A collection of named attributes that each have their own type.
object({<ATTR NAME> = <TYPE>, ... })
object({ name=string, age=number })

{
name = "John"
age = 52
}

tuple tuple([<TYPE>, ...])

 BackEnd Configuration
Backends are configured directly in Terraform files in the terraform section.

After configuring a backend, it has to be initialized.

knowledge portal
 BackEnd Configuration Types - 1
First Time Configuration:

When configuring a backend for the first time (moving from no defined backend to
explicitly configuring one), Terraform will give you the option to migrate your state to
the new backend.

This lets you adopt backends without losing any existing state.

knowledge portal
 BackEnd Configuration Types - 2
Partial Time Configuration:

You do not need to specify every required argument in the backend configuration.
Omitting certain arguments may be desirable to avoid storing secrets, such as access keys,
within the main configuration.

With a partial configuration, the remaining configuration arguments must be provided

as part of the initialization process.

knowledge portal
 Overview of Terraform Taint

The terraform taint command manually marks a Terraform-managed resource as tainted, forcing
it to be destroyed and recreated on the next apply.

Once a resource is marked as tainted, the next plan will show that the resource will be destroyed
and recreated and the next apply will implement this change.

knowledge portal
 Input Variables

The value associated with a variable can be assigned via multiple approaches.

Value associated with the variables can be defined via CLI as well as in tfvars file.

Following is syntax to load custom tfvars file:

terraform apply -var-file="testing.tfvars"

knowledge portal
 Variable Definition Precedence
Terraform loads variables in the following order, with later sources taking precedence over earlier
ones:

● Environment variables
● The terraform.tfvars file, if present.
● The terraform.tfvars.json file, if present.
● Any *.auto.tfvars or *.auto.tfvars.json files, processed in lexical order of their filenames.
● Any -var and -var-file options on the command line, in the order they are provided.

If the same variable is assigned multiple values, Terraform uses the last value it finds.

knowledge portal
 Terraform Local Backend

The local backend stores state on the local filesystem, locks that state using system APIs, and
performs operations locally.

By default, Terraform uses the "local" backend, which is the normal behavior of Terraform you're
used to

knowledge portal
 Required Providers

Each Terraform module must declare which providers it requires, so that Terraform can install
and use them.

Provider requirements are declared in a required_providers block.

knowledge portal
 Required Version

The required_version setting accepts a version constraint string, which specifies which versions of
Terraform can be used with your configuration.

If the running version of Terraform doesn't match the constraints specified, Terraform will
produce an error and exit without taking any further actions.

knowledge portal
 Versioning Arguments
There are multiple ways for specifying the version of a provider.

Version Number Arguments Description

>=1.0 Greater than equal to the version

<=1.0 Less than equal to the version

~>2.0 Any version in the 2.X range.

>=2.10,<=2.30 Any version between 2.10 and 2.30

knowledge portal
Important Pointers for Exams - 6
Let’s get Certified
 Fetching Values from Map
To reference to image-abc from the below map, following approaches needs to be used:

var.ami_ids[“mumbai”]

knowledge portal
 Terraform and GIT - Part 1

If you are making use of GIT repository for commiting terraform code, the .gitignore
should be configured to ignore certain terraform files that might contain sensitive data.

Some of these can include:

● terraform.tfstate file (this can include sensitive information)

● *.tfvars (may contain sensitive data like passwords)

knowledge portal
 Terraform and GIT - Part 2

Arbitrary Git repositories can be used by prefixing the address with the special git::
prefix.

After this prefix, any valid Git URL can be specified to select one of the protocols
supported by Git.

knowledge portal
 Terraform and GIT - Part 3
By default, Terraform will clone and use the default branch (referenced by HEAD) in
the selected repository.

You can override this using the ref argument:

.
The value of the ref argument can be any reference that would be accepted by the git
checkout command, including branch and tag names.

knowledge portal
 Terraform Workspace

● Workspaces are managed with the terraform workspace set of commands.

● State File Directory = terraform.tfstate.d
● Not suitable for isolation for strong separation between workspace (stage/prod)

Use-Case Command

Create New Workspace terraform workspace new kplabs

Switch to a specific Workspace terraform workspace select prod

.

knowledge portal
 Dependency Types - Implicit

With implicit dependency, Terraform can automatically find references of the object,
and create an implicit ordering requirement between the two resources.

knowledge portal
 Dependency Types - Explicit

Explicitly specifying a dependency is only necessary when a resource relies on some other
resource's behavior but doesn't access any of that resource's data in its arguments.

knowledge portal
 State Command
Rather than modify the state directly, the terraform state commands can be used in
many cases instead.

.
State Command Description

terraform state list List resources within terraform state

terraform state mv Move items within terraform state. Can be used to resource renaming.

terraform state pull manually download and output the state from state file.

terraform state rm Remove Items from terraform state file.

Terraform state show Show the attributes of a single resource in the Terraform state.

knowledge portal
 Data Source Code
● Data sources allow data to be fetched or computed for use elsewhere in Terraform
configuration.

● Reads from a specific data source (aws_ami) and exports results under “app_ami”

knowledge portal
 Terraform taint
Terraform Taint can also be used to taint resource within a module.

terraform taint [options] address

For multiple sub modules, following syntax-based example can be used

module.foo.module.bar.aws_instance.qux

knowledge portal
 Terraform Plan Destroy
The behavior of any terraform destroy command can be previewed at any time with an
equivalent terraform plan -destroy command.

knowledge portal
 Terraform Module Sources
The module installer supports installation from a number of different source types like
Local paths, Terraform Registry, GitHub, S3 buckets and others.

Local path references allow for factoring out portions of a configuration within a single
source repository.

A local path must begin with either ./ or ../ to indicate that a local path is intended.

knowledge portal
 Dealing with Larger Infrastructure

Cloud Providers has certain amount of rate limiting set so Terraform can only request
certain amount of resources over a period of time.

It is important to break larger configurations into multiple smaller configurations that

can be independently applied.

Alternatively, you can make use of -refresh=false and target flag for a workaround (not
recommended)

knowledge portal
 Miscellaneous Pointers

lookup retrieves the value of a single element from a map

lookup(map, key, default)

Various commands runs terraform refresh implicitly, some of these include:

terraform [plan, apply, destroy]

Others like terraform [init, import] do not run refresh implictly.

Array Datatype is not supported in Terraform.

knowledge portal
 Miscellaneous Pointers -2

Various variable definition files will be loaded automatically in terraform. These include:

● terraform.tfvars
● terraform.tfvars.json
● Any files with names ending in .auto.tfvars.json

Both implicit and explicit dependency information is stored in terraform.tfstate file.

terraform init -upgrade updates all previously installed plugins to the newest version.

knowledge portal
 Miscellaneous Pointers -3

The terraform console command provides an interactive console for evaluating

expressions.

Difference 0.11 and 0.12

● “${var.instance_type}” → 0.11
● var.instance_type → 0.12

knowledge portal
 Miscellaneous Pointers -3

If you have multiple modules and you want to export a value from one module to be
imported into another module,

Difference 0.11 and 0.12

● “${var.instance_type}” → 0.11
● var.instance_type → 0.12

knowledge portal