Solutions Engineering Hangout: Terraform Beginner FAQs and Examples

Provisioning VMs to Public Clouds with Terraform

In this first webinar, Roger Berlind introduces HashiCorp Terraform, explains how it helps customers provision their infrastructure, and gives a demo in which he uses Terraform to provision VMs to the AWS, Azure, and Google clouds. Jon then answers questions about Terraform from the audience.

Agenda

• 0:00 - 0:05 Introduction: Amanda MacLeod
• 0:05 - 0:20 Terraform Overview: Roger Berlind
• 0:20 - 0:50 Terraform Demo: Roger Berlind
• 0:50 - 1:00 Open Q&A: Jon Benson

Questions & Answers Here is the summary of the questions asked with Jon and Roger's answers provided.

1. What other resources do you have available to get an intro to Terraform and setup a test case? Getting Started is the best place to get started, it provides a number of easy to follow walkthrough examples. There are also some example infrastructures here → Example Configurations and a Terraform guides section which will continue to get updated with examples of how Terraform solves common use cases → Terraform Guides.

2. Will source examples be available via GitHub? See infrastructure-as-code examples for the GCP, Azure, and AWS samples used in the demo. This also includes examples of provisioning Kubernetes clusters into Google Kubernetes Engine (GKE) and Azure Container Service (ACS). The Sentinel policies used in the demo are available here along with other Sentinel policies.

3. Can you shortly explain the best practices for cloning an infrastructure with Terraform? If you're referring to promotion, you could have dev and prod branches of a repository with Terraform code and then point dev and prod workspaces against those branches and promote changes from dev to prod to clone, but set different values of Terraform variables to account for differences between dev and prod. If by "clone" you mean bring existing infrastructure not provisioned by Terraform under Terraform management, see the below questions about to terraform import. If you just want to duplicating an existing infrastructure with Terraform, you would need to map all of your existing resources into a Terraform template.

4. How much of code is reusable between providers? If I have similar infrastructure on different clouds can you use most of the code of one? The overall organization of the code tends to be very similar, but the specific resources that are referenced as well as various attributes of the resources are inevitably different. This is by design, if we were to only offer the lowest common denominator of resources across providers you wouldn't be able to take full advantage of what each provider has to offer. That said, you can leverage Terraform modules to abstract this away.

5. Do you have an example of a simple architecture deployment with network policies and so on? There are many example architecture deployments in the Terraform Module Registry. For example, here is an example AWS VPC architecture.

6. In the demo, when the instance was changed from west to east, was it destroyed in west and recreated in east when switch was made via Terraform? It had never been created in the us-west-1 region because the Sentinel policy had prevented that.

7. What would "read" permissions on a workspace be used for? For the Terraform remote state functionality, you can “read” the outputs of workspaces; this provides an API-like interface for different workspaces to work together. An example might be where you have your networking team manage networking resources in one workspace (VPC, subnets, firewalls, etc.) and your development team manages development resources in another workspace (ASG, ECS, etc.). The dev team still needs to provision resources in the networking team’s VPC, but you don’t want your developers to be able to modify networking infrastructure. We can give the dev team "read" permissions on the networking team's workspace and leverage Terraform remote state to read the outputs that the networking team exposes (VPC ID, private subnet IDs, etc.) to provision dev resources into.​ See below for more documentation. - Terraform Remote State - See TFE Permissions for specific permissions in read, write, and admin categories.

8. Can you integrate with MS Active Directory for the team member logins? TFE supports SAML, which should provide the integration with MS Active Directory for team member logins. - SAML - SAML team membership

9. For the SAML integration, does it link to an organization or to the Terraform Enterprise as a whole, etc? SAML integration is only supported with Private Terraform Enterprise. The integration is at the server level, not the organization level. See our TFE SAML doc.

10. Are you supporting AWS auto-naming (service discovery)? Yep, this actually just recently landed (an hour before the webinar!), see below links. - AWS Provider issue #2561 - AWS Provider pull request #2613 - awsservicediscoveryprivatedns_namespace resource - awsservicediscoverypublicdns_namespace resource - Awsservicediscovery_service

11. I'm assuming that the Atlas GUI is part of the Terraform Enterprise version. Is that true of the GitHub connection? Does the Open Source version limit one to working only on the local dev environment? Yes, the UI Roger showed is part of Terraform Enterprise (TFE). Integration with VCS systems like GitHub is also part of TFE, not Terraform OSS.

12. As we migrate in Q1 to the new Enterprise level, I want to take advantage of the GitHub integration I saw today. Is the 2-way GitHub integration something that requires any sort of GitHub plugins or features that need to be turned on to make that happen? The TFE/GitHub integration uses Github OAuth applications. See the TFE Github integration doc and Github's own OAuth apps doc.

13. Apart from Github, what version controls are supported? Github, Github Enterprise, GitLab.com, GitLab CE and EE, Bitbucket Cloud, Bitbucket Server

14. Is it possible to use Terraform for on-prem infrastructure as well? Yes. There are also over 70 Terraform providers available to choose from, some specific to on-prem. We have a vSphere provider for VMware and an OpenStack provider for OpenStack which are the more common on-prem providers used, but many more on the way! Many customers create their own Customer Terraform Providers for proprietary on-prem infrastructure as well, all you need is an API.

15. If I was interested in the on-prem Terraform product, how could I use Sentinel as well? Is it a separately licensed module of the Terraform server? Absolutely. Sentinel is available with Terraform Enterprise Premium for both the SaaS and Private versions. There is no separate charge for Sentinel. It is not licensed separately.

16. Any plans to support vmWare vRealize for Automation (VRA)? This is the the product that replaced vCloud Director. VMware has released a Terraform provider for vRA. There is also one from Sky-UK.

17. Will there be any in depth training on using Packer with VMware API? That is not currently scheduled, but we suggest you look at the doc for the Packer VMware Builder and the following post-processor docs: vSphere and vSphere Template.

18. We're an F5 shop. If we wanted to use the F5 provider created by F5 do we need to purchase that separately? Or are we allowed to use all the current providers free of charge? No need to purchase separately. We're aware of two Terraform Open Source F5 providers in Github: - This one by F5. - And this one.

19. Is there a way to bulk import the state of current cloud subscription into Terraform state? You can use the terraform import command to import individual resources into your Terraform state, but there is not currently a bulk import tool.

20. How can we somehow auto-generate all the resources in the instance.tf when using "terraform import ..."? I think you're asking for a bulk import tool. We do not have this at this time.

21. How do you manage to map an already existing infrastructure that is set up across regions? when using "terraform import ..." it only generates a terraform state but not the initial resources in the "instance.tf". Do you have this feature mapped in your roadmap or is there a way to do that already? To clarify, this question is asking about terraform import being able to generate the configuration, not just the state file— with this assumption, the answer is yes, this is a feature on the Terraform roadmap.

*22. How mature/feature complete are your Google and Azure Providers compared to AWS ? Which one is your priority for development at the moment? * While the AWS provider has existed longer and has more resources, the Azure and Google providers are both pretty mature, have many resources, and are improving all the time with help from Microsoft and Google.

23. Testing (Unit/Integration) of the code is not discussed and I wonder what is the recommendation? One of our partners, Contino, wrote a great [blog post](https://www.contino.io/insights/top-3-terraform-testing-strategies-for-ultra-reliable-infrastructure-as-code about this topic which includes recommendations and some links to some tools.

24. In a CloudFormation stack, it’s possible for someone to inadvertently delete a resource from the stack, which would put that stack in a broken state anywhere you can no longer make updates. There is no access to modify linked resources. How does Terraform compensate for this? Terraform uses a declarative model rather than a procedural model. So, if someone deletes a resource and you run plan and apply again, Terraform will re-provision the deleted resource. That said, by appropriately leveraging terraform plan, you will be informed that the terraform apply will delete resources. You can also leverage attributes like prevent_destroy on resources to mitigate accidental deletion of resources.

25. Do you support now or are you planning to support VSTS or Perforce as a repository? Not at this time. See Terraform's VCS Integration doc for supported VCS systems.

26. Is there a place for provider versioning... i.e. rollback of provider update…? Terraform does allow you to specify what versions of providers you want to use. See this doc. Specific versions of providers can also be used in modules. See providers in modules doc.

27. How would you handle rollbacks when something goes wrong? You could re-commit older version of code in your VCS to be the current version, that would trigger a Terraform run which would then run the old code.​ Keep in mind that Terraform is declarative. So, if your old code does not include things that were provisioned in the code that you want to rollback, they will be destroyed when you run the old code. If a recent Terraform run corrupted the state file, you can leverage the Terraform Enterprise State Rollback feature to rollback to a last known good state as all state changes are versioned.

28. If I am provisioning resources using API of TFE, will l have the same history as I have on web? What the difference between api and web? Yes, the UI is built on top of the API, so everything in the UI is available via the API since and vice versa. For example, when you do runs via the API, the runs, states, and history will all show up in the UI.

29. If we want to run Terraform without the GUI, will there be a presentation available for us? where should we look for that demo? We recommend reading about the Terraform Enterprise API here. You can also read about API-driven runs. Roger has provided a more complex bash script to illustrate the use of the APIs here. If you have any additional questions, reach out to tfe-trial-help@hashicorp.com.

30. What type of extensions are available in Terraform? If I want to use Kubernetes as my orchestration platform, do you have client APIs that can talk to Kubernetes End Points? Terraform's Kubernetes Provider can be used to provision Kubernetes pods, services, and other Kubernetes constructs to Kubernetes clusters. You can view all other Terraform providers available to you here.

31. I’m using Terraform via AWS ClI. How can I use via the Terraform UI? We're not sure what you mean by saying that you use Terraform via the AWS CLI. If you are asking how you can use the AWS CLI from inside Terraform code, the answer is that you could invoke the AWS CLI inside null_resource resources using Terraform's local-exec provisioner. This is easy with Terraform OSS which customers run on machines that already have the AWS CLI installed. Doing this with Terraform Enterprise is trickier since the AWS CLI is not currently installed on the SaaS and private Terraform Enterprise servers. But it is feasible to install cloud vendor CLIs like aws, az, and gcloud as part of your terraform code. See Roger's AKS repository for an example of installing the Azure CLI (az). Doing this for the AWS CLI would be similar.

32. Can we access the module repository if we are only using the open source version? Yes, users of Terraform OSS can use modules from the public Terraform Module Registry.

33. What is the difference between Terraform Open Source, Pro, and Enterprise? I saw the 2 levels of Enterprise- is the only difference in support levels, meaning the Enterprise features are the same, regardless of support level? Please see Terraform Enterprise Features to learn which features are in the OSS, Pro, and Premium versions.

34. Is it possible to add policies in the Open Source or Enterprise Pro version? No, Sentinel policies are only available with Terraform Enterprise Premium. See the link above for details on split of features.

35. How would you recommend small teams who are already using the open-source version of Terraform move to the Pro or Enterprise version? Is there training or professional services available to help with the migration? You might find the Terraform Best Practices guide interesting since it addresses how customers can move up the Terraform maturity curve. In general, you would need to put your Terraform code into VCS repositories, integrate those into Terraform Enterprise workspaces, and possibly migrate existing state into the Terraform SaaS server or your private TFE server. HashiCorp also provides training. See our training website.

36. We're a small shop. We'd like to standardize on using HashiCorp products, for our customer work. Is there a pricing model for Enterprise products that would work for a small shop that doesn't have large-scale deployments? (so we can become familiar with the products as a means to sell them to customers) You would find using the Terraform SaaS solution cheaper than running a private Terraform Enterprise server. Additionally, you might find that Terraform Enterprise Pro meets your needs. See Terraform Enterprise Features to learn which features are in the OSS, Pro, and Premium versions.

37. How do I pursue Terraform certification? Which roadmap should I use? We do not have a general certification program for individuals, but do have one for our partners. See this blog post.

38. If we are an enterprise customer of Terraform, do we get a preference in terms of telling Terraform developers to focus on certain pull requests which is blocking us? As an enterprise customer, you will be able to file tickets with HashiCorp Support and reach out to your HashiCorp account manager, solutions engineer, or technical account manager and ask them to escalate issues and pull requests you submit against our open source projects. However, there is no guarantee that your pull requests will actually be merged as quickly as you might want or at all, especially if HashiCorp's product management or engineering teams have concerns about them.

39. What about credential management with Vault? This seems to be very complex since it adds the dependency of Consul. As Roger mentioned during the webinar, cloud credentials can be stored in Vault and pulled into Terraform via the Vault Provider. This includes the possibility of using Vault Open Source which does not require Consul as a storage backend. (Consul is only required by Vault Enterprise.)

40. Are there plans to not having to use Consul as a backend for Vault, but using it as a "frontend" to KMS? Terraform's Vault Provider interfaces with both Vault Open Source and Vault Enterprise. Consul is not actually required as the storage backend of Vault Open Source. See storage backends for the complete list of options that Vault OSS supports. Note that Consul is required as the storage backend when using Vault Enterprise, but HashiCorp does not charge extra for the Consul servers used as the storage backend behind Vault Enterprise servers. We're not sure what you mean about using it as a frontend to KMS.