Terraform is a useful Infrastructure as Code (IaC) software for automating the provisioning and administration of I.T. infrastructure. In order to benefit from Terraform, you must be fully committed to and disciplined in the use of Terraform to provision and administer your infrastructure. It’s very easy for somebody to be tempted to change infrastructure via the other methods (UI, CLI, API, etc.) and so it’s important to understand how Terraform manages infrastructure state in order to understand the implications of making changes to your Terraform-managed infrastructure, outside Terraform.
The image below explains how Terraform operates with different “states” of your infrastructure.
Now, let’s use the above with a couple of scenarios.
SCENARIO 1: Using Terraform for the first time to provision a VM on an existing infrastructure (e.g. Azure/AWS).
The infrastructure already has VMs and is not managed by Terraform. You decide to provision a VM with Terraform. After preparing your HCL files, when you perform a “terraform plan”, the following occurs:
- Terraform does not have a terraform.tfstate file (first time using Terraform) and so there’s nothing to refresh from the actual state (although infrastructure exists – other VMs, etc.).
- Terraform compares your desired state (HCL files) with the terraform state.
- Since you do not have a terraform state, all infrastructure in the desired state will be added to the actual state (real-world infrastructure) and the terraform state will be updated. So, your VM will be added to the infrastructure.
NOTE: In order to bring your existing infrastructure under Terraform management, you may use the terraform import command. It can be a painful exercise if your existing infrastructure is complex and big.
SCENARIO 2: Add tags to the Terraform-provisioned VM directly via the provider’s UI
Let’s say you add tags to the Terraform-provisioned VM (scenario 1) directly via the UI (Web Portal). When you perform a “terraform plan” of the VM’s HCL code (as in scenario 1) again, the following occurs:
- Terraform refreshes its terraform.tfstate file with the actual state. This causes the Terraform to update the terraform.tfstate file with the new VM tag details, since the tags were added to the VM’s actual state via the UI.
- Terraform compares your desired state (HCL files) with the terraform
state. - Since the desired state (HCL files) does not contain the added tags (that were added via the UI) for the VM, Terraform will endeavor to meet the desired state and remove the tags from the VM in the infrastructure (actual state). So, the changes to the VM made outside Terraform (via the UI) will be deleted.
So, as you can see, once you commit to using Terraform for your infrastructure, you must be all-in!! If you get this right, you will certainly benefit. You may experience issues and frustrations as the infrastructure gets more complex and you’ll have to determine what works best for your environment.
There are several other IaC tools out there (Ansible, Chef, Puppet, CFEngine, Saltstack, etc.) and infrastructure providers also have CLIs and REST APIs. Every tool has its pros and cons, but the bottom line is that it will eventually pay off to use IaC (irrespective of the tool) with benefits such as cost reduction (more automation => smaller teams), risk mitigation (reduces human error) and increased efficiency.
