HashiCorp Certified Terraform Associate 2023

Instructed by Zeal Vora

 IAC Tools
DevOps = Developers
 Exploring Toolsets

There are various types of tools that can allow you to deploy infrastructure as code :

- Terraform
- CloudFormation
- Heat
- Ansible
- SaltStack
- Chef, Puppet and others
Configuration Management vs Infrastructure Orchestration

Ansible, Chef, Puppet are configuration management tools which means that they are
primarily designed to install and manage software on existing servers.

Terraform, CloudFormation are the infrastructure orchestration tools which basically

means they can provision the servers and infrastructure by themselves.

Configuration Management tools can do some degree of infrastructure provisioning, but

the focus here is that some tools are going to be better fit for certain type of tasks.
IAC & Configuration Management = Friends
 Which tool to choose ?
Question remains on how to choose right IAC tool for the organization

i) Is your infrastructure going to be vendor specific in longer term ? Example AWS.

ii) Are you planning to have multi-cloud / hybrid cloud based infrastructure ?

iii) How well does it integrate with configuration management tools ?

iv) Price and Support

 Terraform

i) Supports multiple platforms, has hundreds of providers.

ii) Simple configuration language and faster learning curve.

iii) Easy integration with configuration management tools like Ansible.

iv) Easily extensible with the help of plugins.

v) Free !!!
Installing Terraform
Terraform in detail
 Overview of Installation Process

Terraform installation is very simple.

You have a single binary file, download and use it.

 Supported Platforms

Terraform works on multiple platforms, these includes:

Windows
macOS
Linux
FreeBSD
OpenBSD
Solaris
 Terraform Installation - Mac & Linux

There are two primary steps required to install terraform in Mac and Linux

1) Download the Terraform Binary File.

2) Move it in the right path.

Choosing IDE For Terraform
Terraform in detail
 Terraform Code in NotePad!
You can write Terraform code in Notepad and it will not have any impact.

Downsides:

Slower Development
Limited Features
 Need of a Better Software
There is a need of a better application that allows us to develop code faster.
 What are the Options!
There are many popular source code editors available in the market.
 Editor for This Course
We are going to make use of Visual Studio Code as primary editor in this course.

Advantages:
1. Supports Windows, Mac, Linux
2. Supports Wide variety of programming languages.
3. Many Extensions.
Understanding the Basics
Terraform Extension
Setting up the Lab
Let’s start Rolling !
 Let’s Start

i) Create a new AWS Account.

ii) Begin the course

Registering an AWS Account
Understanding the Basics
Basics of Authentication and Authorization
Learning for Todays’ Video
Access Credentials
Revising the Basics of EC2
Available Regions
Virtual Machine Configuration
Basics of Providers
Learning 1 - Provider Plugins
Learning 2 - Resource
Learning 3 - Resource Blocks
Point to Note
Important Question
Issues and Bugs with Providers
Relax and Have a Meme Before Proceeding
Provider Maintainers
Provider Namespace
Important Learning
Learning to Destroy Resources
Approach 1 - Destroy ALL
Approach 2 - Destroy Some
Terraform Destroy with Target
Desired & Current State
Terraform in detail
 Desired State
Terraform's primary function is to create, modify, and destroy infrastructure resources to
match the desired state described in a Terraform configuration
 Current State
Current state is the actual state of a resource that is currently deployed.
 Important Pointer

Terraform tries to ensure that the deployed infrastructure is based on the desired state.

If there is a difference between the two, terraform plan presents a description of the
changes necessary to achieve the desired state.
Provider Versioning
Terraform in detail
Provider Architecture
 Overview of Provider Versioning
Provider plugins are released separately from Terraform itself.

They have different set of version numbers.

.
 Explicitly Setting Provider Version
During terraform init, if version argument is not specified, the most recent provider will be
downloaded during initialization.

For production use, you should constrain the acceptable provider versions via configuration, to
ensure that new versions with breaking changes will not be automatically installed.
 Arguments for Specifying provider
There are multiple ways for specifying the version of a provider.
 Dependency Lock File
Terraform dependency lock file allows us to lock to a specific version of the provider.

If a particular provider already has a selection recorded in the lock file, Terraform will always
re-select that version for installation, even if a newer version has become available.

You can override that behavior by adding the -upgrade option when you run terraform init,
Understanding the Challenge
Understanding the Challenge
Points to Note
Understanding the Usage
Lecture Format - Terraform Course
Terraform in detail
 Overview of the Format

We tend to use a different folder for each practical that we do in the course.

This allows us to be more systematic and allows easier revisit in-case required.
 Find the appropriate code from GitHub

Code in GitHub is arranged according to sections that are matched to the domains in the course.

Every section in GitHub has easy Readme file for quick navigation.
 Destroy Resource After Practical

We know how to destroy resources by now

terraform destroy

After you have completed your practical, make sure you destroy the resource before moving to
the next practical.

This is easier if you are maintaining separate folder for each practical.
Relax and Have a Meme Before Proceeding
Attributes & Output Values
Terraform in detail
 Understanding Attributes

Terraform has capability to output the attribute of a resource with the output values.

Example:

ec2_public_ip = 35.161.21.197
bucket_identifier = terraform-test-kplabs.s3.amazonaws.com
 Attributes are important
An outputed attributes can not only be used for the user reference but it can also act as a input to
other resources being created via terraform

Let’s understand this with an example:

After EIP gets created, it’s IP address should automatically get whitelisted in the security group.
Referencing Cross-Resource Attributes
Terraform in detail
 Attributes are important
An outputed attributes can not only be used for the user reference but it can also act as a input to
other resources being created via terraform

Let’s understand this with an example:

After EIP gets created, it’s IP address should automatically get whitelisted in the security group.
Example 1: EIP and EC2 Instance
Example 2: EIP and Security Group
Terraform Variables
Terraform in detail
 Static = Work
Repeated static values can create more work in the future.
 Variables are good
We can have a central source from which we can import the values from.
 Variables are good
We can have a central source from which we can import the values from.
Approaches to Variable Assignment
Terraform in detail
 Multiple Approaches to Variable Assignment

Variables in Terraform can be assigned values in multiple ways.

Some of these include:

Environment variables
Command Line Flags
From a File
Variable Defaults
Data Types for Variables
Terraform in detail
 Overview of Type Constraints

The type argument in a variable block allows you to restrict the type of value that will be accepted
as the value for a variable

If no type constraint is set then a value of any type is accepted.

 Example Use-Case
Every employee in Medium Corp is assigned a Identification Number.

Any resource that employee creates should be created with the name of the identification number
only.
 Example Use-Case
Every employee in Medium Corp is assigned a Identification Number.

Any EC2 instance that employee creates should be created using the identification number only.
Overview of Data Types
Count Parameter
Terraform in detail
 Overview of Count Parameter

The count parameter on resources can simplify configurations and let you scale resources by
simply incrementing a number.

Let’s assume, you need to create two EC2 instances. One of the common approach is to define
two separate resource blocks for aws_instance.
 Overview of Count Parameter

With count parameter, we can simply specify the count value and the resource can be scaled
accordingly.
 Count Index

In resource blocks where count is set, an additional count object is available in expressions, so you
can modify the configuration of each instance.

This object has one attribute:

count.index — The distinct index number (starting with 0) corresponding to this instance.
 Understanding Challenge with Count

With the below code, terraform will create 5 IAM users. But the problem is that all will have the
same name.
 Understanding Challenge with Count

count.index allows us to fetch the index of each iteration in the loop.

 Understanding Challenge with Default Count Index

Having a username like loadbalancer0, loadbalancer1 might not always be suitable.

Better names like dev-loadbalancer, stage-loadbalancer, prod-loadbalancer is better.

count.index can help in such scenario as well.

Conditional Expression
Terraform in detail
 Overview of Conditional Expression

A conditional expression uses the value of a bool expression to select one of two values.

Syntax of Conditional expression:

If condition is true then the result is true_val. If condition is false then the result is false_val.
 Example of Conditional Expression
Let’s assume that there are two resource blocks as part of terraform configuration.

Depending on the variable value, one of the resource blocks will run.
Local Values
Terraform in detail
 Overview of Local Values

A local value assigns a name to an expression, allowing it to be used multiple times within a
module without repeating it.
 Local Values Support for Expression
Local Values can be used for multiple different use-cases like having a conditional expression.
 Important Pointers for Local Values

Local values can be helpful to avoid repeating the same values or expressions multiple times in a
configuration.

If overused they can also make a configuration hard to read by future maintainers by hiding the
actual values used

Use local values only in moderation, in situations where a single value or result is used in many
places and that value is likely to be changed in future.
Terraform Functions
Terraform in detail
 Overview of Terraform Functions
The Terraform language includes a number of built-in functions that you can use to transform
and combine values.

The general syntax for function calls is a function name followed by comma-separated arguments
in parentheses:

function (argument1, argument2)

Example:
 List of Available Functions
The Terraform language does not support user-defined functions, and so only the functions built
in to the language are available for use

Numeric
String
Collection
Encoding
Filesystem
Date and Time
Hash and Crypto
IP Network
Type Conversion
Data Sources
Terraform in detail
 Overview of Data Sources

Data sources allow data to be fetched or computed for use elsewhere in Terraform configuration.
 Data Source Code
Defined under the data block.
Reads from a specific data source (aws_ami) and exports results under “app_ami”
Debugging Terraform
Terraform in detail
 Overview of Debugging Terraform

Terraform has detailed logs which can be enabled by setting the TF_LOG environment variable
to any value.

You can set TF_LOG to one of the log levels TRACE, DEBUG, INFO, WARN or ERROR to
change the verbosity of the logs
 Important Pointers

TRACE is the most verbose and it is the default if TF_LOG is set to something other than a log
level name.

To persist logged output you can set TF_LOG_PATH in order to force the log to always be
appended to a specific file when logging is enabled.
Lecture Format - Terraform Course
Terraform in detail
 Overview of the Format

We tend to use a different folder for each practical that we do in the course.

This allows us to be more systematic and allows easier revisit in-case required.
 Find the appropriate code from GitHub

Code in GitHub is arranged according to sections that are matched to the domains in the course.

Every section in GitHub has easy Readme file for quick navigation.
 Destroy Resource After Practical

We know how to destroy resources by now

terraform destroy

After you have completed your practical, make sure you destroy the resource before moving to
the next practical.

This is easier if you are maintaining separate folder for each practical.
Relax and Have a Meme Before Proceeding
Terraform Format
Terraform in detail
 Importance of Readability

Anyone who is into programming knows the importance of formatting the code for readability.

The terraform fmt command is used to rewrite Terraform configuration files to take care of the
overall formatting.
Terraform Validate
Terraform in detail
 Overview of Terraform Validate

Terraform Validate primarily checks whether a configuration is syntactically valid.

It can check various aspects including unsupported arguments, undeclared variables and others.
Load Order & Semantics
Terraform in detail
 Understanding Semantics

Terraform generally loads all the configuration files within the directory specified in
alphabetical order.

The files loaded must end in either .tf or .tf.json to specify the format that is in use.
Dynamic Block
Terraform In Depth
 Understanding the Challenge

In many of the use-cases, there are repeatable nested blocks that needs to be defined.

This can lead to a long code and it can be difficult to manage in a longer time.
 Dynamic Blocks

Dynamic Block allows us to dynamically construct repeatable nested blocks which is supported
inside resource, data, provider, and provisioner blocks:
 Iterators

The iterator argument (optional) sets the name of a temporary variable that represents the
current element of the complex value

If omitted, the name of the variable defaults to the label of the dynamic block ("ingress" in the
example above).
Understanding the Use-Case
Recreating the Resource
Points to Note
 Splat Expression

Terraform Expressions
 Overview of Spalat Expression
Splat Expression allows us to get a list of all the attributes.
Terraform Graph

Terraform In Detail
 Overview of Graph
The terraform graph command is used to generate a visual representation of either a
configuration or execution plan

The output of terraform graph is in the DOT format, which can easily be converted to
an image.
Saving Terraform Plan to a File

Terraform In Detail
 Terraform Plan File
The generated terraform plan can be saved to a specific path.

This plan can then be used with terraform apply to be certain that only the changes
shown in this plan are applied.

Example:

terraform plan -out=path

Terraform Output
Terraform in detail
 Terraform Output

The terraform output command is used to extract the value of an output variable from the state
file.
Terraform Settings
Terraform in detail
 Overview of Terraform Settings

The special terraform configuration block type is used to configure some behaviors of
Terraform itself, such as requiring a minimum Terraform version to apply your configuration.

Terraform settings are gathered together into terraform blocks:

 Setting 1 - Terraform Version

The required_version setting accepts a version constraint string, which specifies which versions
of Terraform can be used with your configuration.

If the running version of Terraform doesn't match the constraints specified, Terraform will
produce an error and exit without taking any further actions.
 Setting 2 - Provider Version

The required_providers block specifies all of the providers required by the current module,
mapping each local provider name to a source address and a version constraint.
Dealing with Larger Infrastructure
Terraform in detail
 Challenges with Larger Infrastructure

When you have a larger infrastructure, you will face issue related to API limits for a provider.
 Dealing With Larger Infrastructure

Switch to smaller configuration were each can be applied independently.

 Slow Down, My Man
We can prevent terraform from querying the current state during operations like terraform plan.

This can be achieved with the -refresh=false flag

 Specify the Target
The -target=resource flag can be used to target a specific resource.

Generally used as a means to operate on isolated portions of very large configurations

 Zipmap
Terraform Function
 Overview of Zipmap

The zipmap function constructs a map from a list of keys and a corresponding list of
values.
Sample Output of Zipmap Function
 Simple Use-Case
You are creating multiple IAM users.

You need output which contains direct mapping of IAM names and ARNs
Comments in Terraform Code
Commenting the Code!
 Overview of Comments
A comment is a text note added to source code to provide explanatory information,
usually about the function of the code
 Comments in Terraform
The Terraform language supports three different syntaxes for comments:
Challenges with Count
Meta-Argument
 Revising the Basics
Resource are identified by the index value from the list.
 Challenge - 1

If the order of elements of index is changed, this can impact all of the other resources.
 Important Note

If your resources are almost identical, count is appropriate.

If distinctive values are needed in the arguments, usage of for_each is recommended.

Data Type - SET
Let’s Revise Programming
 Basics of List

Lists are used to store multiple items in a single variable.

List items are ordered, changeable, and allow duplicate values.
List items are indexed, the first item has index [0], the second item has index [1] etc.
 Understanding SET

SET is used to store multiple items in a single variable.

SET items are unordered and no duplicates allowed.

 toset Function

toset function will convert the list of values to SET

 for_each
Meta-Argument
 Basics of For Each

for_each makes use of map/set as an index value of the created resource.

 Replication Count Challenge

If a new element is added, it will not affect the other resources.

 The each object

In blocks where for_each is set, an additional each object is available.

This object has two attributes:

Relax and Have a Meme Before Proceeding
Provisioners
Interesting Part is here
 Provisioners are interesting
Till now we have been working only on creation and destruction of infrastructure scenarios.

Let’s take an example:

We created a web-server EC2 instance with Terraform.

Problem: It is only an EC2 instance, it does not have any software installed.

What if we want a complete end to end solution ?

 Welcome to Terraform Provisioners
Provisioners are used to execute scripts on a local or remote machine as part of resource creation
or destruction.

Let’s take an example:

On creation of Web-Server, execute a script which installs Nginx web-server.

Types of Provisioners
Interesting Part is here
 Provisioners are interesting
Terraform has capability to turn provisioners both at the time of resource creation as well as
destruction.

There are two main types of provisioners:

 Local Exec Provisioners
local-exec provisioners allow us to invoke local executable after resource is created

Let’s take an example:

 Remote Exec Provisioners
Remote-exec provisioners allow to invoke scripts directly on the remote server.

Let’s take an example:

Provisioner Types
Terraform in detail
 Overview of Provisioner Types

There are two primary types of provisioners:

 Destroy Time Provisioner

If when = destroy is specified, the provisioner will run when the resource it is defined within is
destroyed.
 local-exec
Provisioners Time!
 Provisioners are interesting
local-exec provisioners allows us to invoke a local executable after the resource is created.

One of the most used approach of local-exec is to run ansible-playbooks on the created server
after the resource is created.
Failure Behavior - Provisioners
Terraform in detail
 Provisioner - Failure Behaviour

By default, provisioners that fail will also cause the terraform apply itself to fail.

The on_failure setting can be used to change this. The allowed values are:
Null Resource
Terraform Function
 Basics of Null Resource
The null_resource implements the standard resource lifecycle but takes no further action.
DRY Principle
Software Engineering
 Understanding DRY Approach
In software engineering, don't repeat yourself (DRY) is a principle of software development
aimed at reducing repetition of software patterns.

In the earlier lecture, we were making static content into variables so that there can be single
source of information.
 We are repeating resource code
We do repeat multiple times various terraform resources for multiple projects.

Sample EC2 Resource

 Centralized Structure
We can centralize the terraform resources and can call out from TF files whenever required.
Challenges with Modules
Software Engineering
 Challenges
One common need on infrastructure management is to build environments like staging,
production with similar setup but keeping environment variables different.
 Challenges
When we use modules directly, the resources will be replica of code in the module.
Using Locals with Modules
Terraform Function
 Understanding the Challenge
Using variables in Modules can also allow users to override the values which you might
not want.
 Setting the Context
There can be many repetitive values in modules and this can make your code difficult to
maintain.

You can centralize these using variables but users will be able to override it.
 Using Locals
Instead of variables, you can make use of locals to assign the values.

You can centralize these using variables but users will be able to override it.
Module Outputs
Output the Data
 Revising Output Values
Output values make information about your infrastructure available on the command
line, and can expose information for other Terraform configurations to use.
 Accessing Child Module Outputs
In a parent module, outputs of child modules are available in expressions as
module.<MODULE NAME>.<OUTPUT NAME>
Terraform Registry
Terraform in detail
 Overview of Terraform Registry

The Terraform Registry is a repository of modules written by the Terraform community.

The registry can help you get started with Terraform more quickly
 Module Location

If we intend to use a module, we need to define the path where the module files are present.

The module files can be stored in multiple locations, some of these include:

Local Path
GitHub
Terraform Registry
S3 Bucket
HTTP URLs
 Verified Modules in Terraform Registry

Within Terraform Registry, you can find verified modules that are maintained by various third
party vendors.

These modules are available for various resources like AWS VPC, RDS, ELB and others.
 Verified Modules in Terraform Registry

Verified modules are reviewed by HashiCorp and actively maintained by contributors to stay
up-to-date and compatible with both Terraform and their respective providers.

The blue verification badge appears next to modules that are verified.

Module verification is currently a manual process restricted to a small group of trusted

HashiCorp partners.
 Using Registry Module in Terraform

To use Terraform Registry module within the code, we can make use of the source argument that
contains the module path.

Below code references to the EC2 Instance module within terraform registry.
 Publishing Modules
Publish Modules to Terraform Registry
 Overview of Publishing Modules
Anyone can publish and share modules on the Terraform Registry.

Published modules support versioning, automatically generate documentation, allow

browsing version histories, show examples and READMEs, and more.
Requirements for Publishing Module
 Standard Module Structure
The standard module structure is a file and directory layout that is recommend for
reusable modules distributed in separate repositories
Terraform Workspace
Interesting topics
 Understanding WorkSpaces
Terraform allows us to have multiple workspaces, with each of the workspace we can have
different set of environment variables associated
Team Collaboration
Terraform in detail
 Local Changes are not always good
Currently we have been working with terraform code locally.
Centralized Management
Relax and Have a Meme Before Proceeding
Terraform Module Sources
Terraform in detail
 Supported Module Sources

The source argument in a module block tells Terraform where to find the source code for the
desired child module.

Local paths
Terraform Registry
GitHub
Bitbucket
Generic Git, Mercurial repositories
HTTP URLs
S3 buckets
GCS buckets
 Local Path

A local path must begin with either ./ or ../ to indicate that a local path is intended.
 Git Module Source
Arbitrary Git repositories can be used by prefixing the address with the special git::
prefix.

After this prefix, any valid Git URL can be specified to select one of the protocols
supported by Git.

.
 Referencing to a Branch
By default, Terraform will clone and use the default branch (referenced by HEAD) in
the selected repository.

You can override this using the ref argument:

.
The value of the ref argument can be any reference that would be accepted by the git
checkout command, including branch and tag names.
Terraform & GitIgnore
Terraform in detail
 Overview of gitignore

The .gitignore file is a text file that tells Git which files or folders to ignore in a project.
 Terraform and .gitignore

Depending on the environments, it is recommended to avoid committing certain files to GIT.

Terraform Backend
Terraform in detail
 Basics of Backends
Backends primarily determine where Terraform stores its state.

By default, Terraform implicitly uses a backend called local to store state as a local file on disk.
 Challenge with Local Backend
Nowadays Terraform project is handled and collaborated by an entire team.

Storing the state file in the local laptop will not allow collaboration.
 Ideal Architecture
Following describes one of the recommended architectures:

1. The Terraform Code is stored in Git Repository.

2. The State file is stored in a Central backend.
 Backends Supported in Terraform

Terraform supports multiple backends that allows remote service related operations.

Some of the popular backends include:

S3
Consul
Azurerm
Kubernetes
HTTP
ETCD
 Important Note
Accessing state in a remote service generally requires some kind of access credentials

Some backends act like plain "remote disks" for state files; others support locking the state while
operations are being performed, which helps prevent conflicts and inconsistencies.
State Locking
Let’s Lock the State
 Understanding State Lock
Whenever you are performing write operation, terraform would lock the state file.

This is very important as otherwise during your ongoing terraform apply operations, if others
also try for the same, it can corrupt your state file.
Basic Working
 Important Note

State locking happens automatically on all operations that could write state. You won't see any
message that it is happening

If state locking fails, Terraform will not continue

Not all backends support locking. The documentation for each backend includes details on
whether it supports locking or not.
 Force Unlocking State
Terraform has a force-unlock command to manually unlock the state if unlocking failed.

If you unlock the state when someone else is holding the lock it could cause multiple writers.

Force unlock should only be used to unlock your own lock in the situation where automatic
unlocking failed.
State Locking in S3 Backend
Back to Providers