Fundamentals
Initialise a working directory be that new code or cloned code from version control e.g. Github. Also downloads the providers and creates a .terraform.lock.hcl, this file should be included in version control.
NOTE: You can show verbose logging by setting the TF_LOG flag
PowerShell
$env:TF_LOG="TRACE"Bash
export TF_LOG="TRACE"terraform initValidate syntax of Terraform configuration files and ensures the configuration is consistent.
terraform validateDry run, what is Terrform code going to create, delete, or modify.
terraform -chdir='.\some path to the terraform root directory\' plan
terraform planOutput a deployment plan for later use e.g.
terraform -chdir='.\some path to the terraform root directory\' plan -out planName -var-file='.\test.tfvars' -var='subscriptionId=000...'
terraform plan -out planName
Use a state file outside of the root directory e.g.
terraform -chdir='.\some path to the terraform root directory\' plan -out 'Env/planName' -var-file='.\test.tfvars' -var='subscriptionId=000...' -state='Env/terraform.tfstate'Dry run of destroy
terraform plan -destroyYou would them use Terraform apply 'plan' as per this example to destroy the resources.
Applies changes to ensure the a 'desired state'.
terraform applyterraform apply deployment_infra_dateterraform apply -state='Env/terraform.tfstate' 'Env/planName'Apply -var variableName={variableValue}
Remove the resources created by Terraform.
The Terraform settings block for your root module...
The backend block within the Terraform settings block can be used to define where the state file should be located...
terraform {
backend "azurerm" {
storage_account_name = "storage_account_name"
container_name = "container"
key = "someting.tfstate"
access_key = "storage_account_access_key"
sas_token = "storage_account_sas_token"
}
}The values above can be passed using backend.tfvars and environment variables. For example the storage_account_name, container_name and key could be stored witin backend.tfvars - this will be referenced during terraform init using the -backend-config flag. The access_key or sas_token should be kept secret and would most likely be initialised at runtime using some form of wrapper script for example...
Param
(
[Parameter(Mandatory)]
[string]$storage_account_name
)
...
$ACCESS_KEY = Get-AzStorageAccountKey -ResourceGroupName (Get-AzResource -Name $storage_account_name).ResourceGroupName -Name $storage_account_name | Where-Object {$_.KeyName -eq "key1"}
...
$env:ARM_ACCESS_KEY=($ACCESS_KEY).Value
...To consume Terraform state in other root modules use the data source configuration, for example...
data "terraform_remote_state" "module_name" {
backend = "azurerm"
config = {
storage_account_name = "storage_account_name"
container_name = "container_name"
key = "module_name.tfstate"
}
}The access_key or sas_token would be accessed via an environment variable as detailed above.
Terraform relies on providers to manage resources; a provider is a logical abstraction of the upstream API e.g. Azure Resource Manager. Providers can be found here.
resource "resource_type" "resource_type_name" {
argument_name = argument_value
}
// for example
resource "azurerm_resource_group" "my_resource_group" {
name = "rg-1" // mandatory
location = "northeurope" // mandatory
tags = { // optional
environment = "prod"
}
}Used to specify dependencies which Terraform cannot automatically resolve.
Used to create multiple resources using an integer - like the copy element in ARM.
Used to create multiple resources using a map or set of strings.
Providers are defined within the terraform .tf file. These are downloaded by Terraform when you run terraform init. The providers are stored in a hidden .terraform directory within the working directory.
Customisations for resource types...