Managing Infrastructure As Code With Terraform
With HashiCorp Terraform, provisioning and security can be automated based on infrastructure and policy as code. Infrastructure and policies are codified, shared, managed, and executed within a workflow that is consistent across all infrastructure.
Managing Infrastructure As Code with Terraform
This tutorial explains how to manage infrastructure as code withTerraform andCloud Build using the popular GitOps methodology. The term GitOps wasfirst coined by Weaveworks,and its key concept is using a Git repository to store the environmentstate that you want. Terraform is aHashiCorp open source tool that enables you to predictably create, change, and improveyour cloud infrastructure by using code. In this tutorial, you useCloud Build,a Google Cloud continuous integration service, to automaticallyapply Terraform manifests to your environment.
This tutorial is for developers and operators who are looking for an elegantstrategy to predictably make changes to infrastructure. The article assumes youare familiar with Google Cloud, Linux, and GitHub.
Ideally, either developers or operators must make infrastructure proposals tonon-protected branches and then submit them throughpull requests.TheCloud Build GitHub app,discussed later in this tutorial, automatically triggers the build jobs andlinks the terraform plan reports to these pull requests. This way, you candiscuss and review the potential changes with collaborators and add follow-upcommits before changes are merged into the base branch.
By default, Terraform storesstate locally in a file named terraform.tfstate. This default configuration canmake Terraform usage difficult for teams, especially when many users runTerraform at the same time and each machine has its own understanding of thecurrent infrastructure.
To allowCloud Build service account to run Terraform scripts with the goal of managing Google Cloud resources,you need to grant it appropriate access to your project. For simplicity,project editor access is granted in this tutorial. But when the project editor role has awide-range permission, in production environments you must follow your company'sIT security best practices, usually providingleast-privileged access.
This section shows you how to install theCloud Build GitHub app.This installation allows you to connect your GitHub repository with yourGoogle Cloud project so that Cloud Build can automatically applyyour Terraform manifests each time you create a new branch or push code toGitHub.
Similarly, the terraform apply command runs for environment branches, but itis completely ignored in any other case. In this section, you have submitted acode change to a new branch, so no infrastructure deployments were applied toyour Google Cloud project.
Historically, Infrastructure as Code has seen many iterations, starting with configuration management tools like CFEngine, Chef, Puppet, Ansible, and Salt. Newer tooling like Cloudformation and Terraform take a declarative approach and focus on the actual provisioning of resources, as opposed to the configuration of existing ones. The newest generation of tools focuses on using the capabilities of existing imperative programming languages. AWS and Terraform both provide Cloud Development Kits(CDKs), and Pulumi is also a popular option for provisioning infrastructure with traditional software tools.
Terraform keeps track of the state of the resources it manages in a state file. This file is essentially a large JSON data structure that tracks proposed changes to infrastructure, as well as out-of-band changes that may have occurred to live resources outside of the Terraform configuration. New Terraform users typically maintain a local state file on their workstation or laptop. At scale with multiple engineers managing infrastructure, the state is typically broken down into multiple files and stored remotely using services like AWS S3.
With immutable infrastructure, build, release, and deploy stages are kept separate. Once code changes are built, they are stamped with an immutable release tag. Further changes or fixes result in a new tag being generated. Developers and engineers know that a change that was made in a local development environment is the same change across different environments and deployment stages. The 12-factor app framework highlights this pattern in factor V.
Why provision infrastructure with clicks and manual processes while writing application code? Infrastructure as Code tools like Terraform means that infrastructure configuration can be brought into the same development processes, allowing for testing, standardization, and scalability. The modern Infrastructure as Code ecosystem has a broad variety of resources for learning and getting started.
Terraform is the infrastructure as code offering from HashiCorp. It is a tool for building, changing, and managing infrastructure in a safe, repeatable way. Operators and Infrastructure teams can use Terraform to manage environments with a configuration language called the HashiCorp Configuration Language (HCL) for human-readable, automated deployments.
Infrastructure as code is the process of managing infrastructure in a file or files rather than manually configuring resources in a user interface. A resource in this instance is any piece of infrastructure in a given environment, such as a virtual machine, security group, network interface, etc. At a high level, Terraform allows operators to use HCL to author files containing definitions of their desired resources on almost any provider (AWS, Google Cloud, GitHub, Docker, etc.) and automates the creation of those resources at the time of apply.
If the plan was created successfully, Terraform will now pause and wait for approval before proceeding. If anything in the plan seems incorrect or dangerous, it is safe to abort here with no changes made to your infrastructure.
As indicated by the execution plan, Terraform first destroyed the existing instance and then created a new one in its place. You can use terraform show again to see the new values associated with this instance.
Just like with terraform apply, Terraform determines the order in which things must be destroyed. Google Cloud won't allow a VPC network to be deleted if there are resources still in it, so Terraform waits until the instance is destroyed before destroying the network. When performing operations, Terraform creates a dependency graph to determine the correct order of operations. In more complicated cases with multiple resources, Terraform will perform operations in parallel when it's safe to do so.
In this lab, you learned how to build, change, and destroy infrastructure with Terraform. You then created resource dependencies, and provisioned basic infrastructure with Terraform configuration files.
Terraform is a popular open source Infrastructure as Code (IAC) tool that automates provisioning of your infrastructure in the cloud and manages the full lifecycle of all deployed resources, which are defined in source code. Its resource-managing behavior is predictable and reproducible, so you can plan the actions in advance and reuse your code configurations for similar infrastructure.
To manage your infrastructure with GitLab, you can use the integration withTerraform to define resources that you can version, reuse, and share:Manage low-level components like compute, storage, and networking resources.Manage high-level components like DNS entries and SaaS features.Incorporate GitOps deployments and Infrastructure-as-Code (IaC) workflows.Use GitLab as a Terraform state storage.Store and use Terraform modules to simplify common and complex infrastructure patterns. Watch a video overview of the features GitLab provides with the integration with Terraform.Integrate your project with TerraformIaC Scanning was introduced in GitLab 14.6.The integration with GitLab and Terraform happens through GitLab CI/CD.Use an include attribute to add the Terraform template to your project andcustomize from there.To get started, choose the template that best suits your needs:Latest templateStable template and advanced templateAll templates:Use the GitLab-managed Terraform state as the Terraform state storage backend.Trigger four pipeline stages: test, validate, build, and deploy.Run Terraform commands: test, validate, plan, and plan-json. It also runs the apply only on the default branch.Check for security problems using IaC Scanning.Latest Terraform templateThe latest templateis compatible with the most recent GitLab version. It provides the most recentGitLab features, but can potentially include breaking changes.You can safely use the latest Terraform template:If you use GitLab.com.If you use a self-managed instance updated with every new GitLab release.Stable and advanced Terraform templatesIf you use earlier versions of GitLab, you might face incompatibility errorsbetween the GitLab version and the template version. In this case, you can optto use one of these templates:The stable template with an skeleton that you can built on top of.The advanced template to fully customize your setup.noteIn each GitLab major release (for example, 15.0), the latest templates replace the older ones. This process can introduce breaking changes. You can use an older version of the template if you need to.Use a Terraform templateTo use a Terraform template:On the top bar, select Main menu > Projects and find the project you want to integrate with Terraform.On the left sidebar, select Repository > Files.Edit your .gitlab-ci.yml file, use the include attribute to fetch the Terraform template:include: # To fetch the latest template, use: - template: Terraform.latest.gitlab-ci.yml # To fetch the advanced latest template, use: - template: Terraform/Base.latest.gitlab-ci.yml # To fetch the stable template, use: - template: Terraform.gitlab-ci.yml # To fetch the advanced stable template, use: - template: Terraform/Base.gitlab-ci.ymlAdd the variables as described below:variables: TF_STATE_NAME: default TF_CACHE_KEY: default # If your terraform files are in a subdirectory, set TF_ROOT accordingly. For example: # TF_ROOT: terraform/productionOptional. Override in your .gitlab-ci.yml file the attributes presentin the template you fetched to customize your configuration.Terraform template recipesFor GitLab-curated template recipes, see Terraform template recipes.Related topicsView the images that contain the gitlab-terraform shell script.Use GitLab as a Terraform module registry.To store state files in local storage or in a remote store, use the GitLab-managed Terraform state.To collaborate on Terraform code changes and Infrastructure-as-Code workflows, use theTerraform integration in merge requests.To manage GitLab resources like users, groups, and projects, use theGitLab Terraform provider.The GitLab Terraform provider documentation is available on the Terraform docs site.Create a new cluster on Amazon Elastic Kubernetes Service (EKS).Create a new cluster on Google Kubernetes Engine (GKE).Troubleshoot issues with GitLab and Terraform. Help & feedbackDocsEdit this pageto fix an error or add an improvement in a merge request.Create an issueto suggest an improvement to this page.ProductCreate an issueif there's something you don't like about this feature.Propose functionalityby submitting a feature request.Join First Lookto help shape new features.Feature availability and product trialsView pricingto see all GitLab tiers and features, or to upgrade.Try GitLab for freewith access to all features for 30 days.Get HelpIf you didn't find what you were looking for,search the docs.If you want help with something specific and could use community support,post on the GitLab forum.For problems setting up or using this feature (depending on your GitLabsubscription). 041b061a72