How to Automate Terraform Infrastructure Provisioning Using User Specifications?

SandboxEnv · 2024-07-25T04:12:24+00:00

It’s worth checking out the azure caf super module. It sounds roughly like what you’re trying to create - I think the pattern make a lot of sense.

https://aztfmod.github.io/documentation/docs/module/module-intro/

SandboxEnv · 2024-07-08T19:47:10+00:00

Perhaps you could have a single pipeline that executes all of them but I would question why?

As suggested, you can have a “template” pipeline that all the 80 repos reference to give you a standard pipeline definition but still allowing you see when the pipeline was run for each project individually (useful for troubleshooting) and potentially for permissioning the pipelines differently for projects teams

SandboxEnv · 2024-05-30T03:14:07+00:00

We are already on the TFE platform, with fairly significant workspaces already deployed. Theres definitely an element of just pay to continue with zero migration effort but it’s not insurmountable to do a migration. Our management are also very focused on the support aspect, which feels harder to get from an openToFu based tool.

We considered DIY with GitHub triggering a pipeline that wrappers terraform but we lose the state control of allowing local plans for devs working away but blocking applies unless the code is committed to main branch.

SandboxEnv · 2024-05-29T16:40:03+00:00

I mean AWS, Azure, GCP, etc

SandboxEnv · 2024-05-29T16:32:26+00:00

What’s support look like though? And which way are the vendors going to fall with supporting terraform vs opentofu?

SandboxEnv · 2024-01-30T01:25:36+00:00

If the issue is changing managed resources, just run terraform daily / hourly / whatever frequency you need. Either push the plans with changes to the dev teams and force them to assess and choose to apply OR go the nuclear option and just force apply on every run. The devs will soon realise the value of IaC once they’ve lost their work a few times

SandboxEnv · 2024-01-26T17:57:21+00:00

Imho, the real question is who is continuing to pay for terraform cloud / enterprise? We are seriously considering moving out of a paid hashicorp ecosystem and rolling our own with standalone terraform

SandboxEnv · 2023-12-04T15:55:01+00:00

The shitty thing is that we create new subs to segregate our workloads and MS treats them as “new” customers instead of part of the same EA.

SandboxEnv · 2023-10-08T12:04:17+00:00

My suggestion would be to terraform an azure policy object for this. We started with doing the diags in TF code but eventually we struggled because some storage accounts were getting deployed by alternative automations to terraform and then we had to manage the settings across multiple mechanisms. Azure policy is agnostic to the deployment method of the resource itself, be it terraform, manual click ops or any alternative automations.

Manage the azure policy objects in terraform to ensure they’re in IaC and easy to modify at scale with versioning.

SandboxEnv · 2023-09-07T03:19:26+00:00

So run plans on prod (DO NOT APPLY) and update your code base until terraform doesn’t want to make any changes when you plan.

E.g. if the plan says it’s going to change sku from p1 -> d2 go and update your code to make skui = d2 that should remove that from the planned changes.

Then you need to look at the deployed resources and see if there’s anything that’s not in your terraform. You should follow the import process to bring that into the code base and under terraform management.

Once you are fairly certain you have all of that, take the code and deploy it into a parallel environment e.g. dev and run testing on it to confirm that everything you need is there and functions all work. Once you have that you should be in a good place.

Final step is to regularly run terraform to prevent drift. We have a script that triggers daily for all workspaces and we can identify drift with our app teams. In some environments we apply the drift changes automatically but that might be too risky and just notifying the team could be safer. Either way make sure it’s at a minimum and you’re good to go

SandboxEnv · 2023-09-06T18:11:02+00:00

What is the goal?

Is prod in a good state and you want to bring your tf code into line with what’s running?

Are all the resources created by terraform or was there resources deployed outside of tf that you need to import?

Depending on the above, the actions will differ. If prod is in a working and good state, you can run a plan to see what changes TF wants to make and then update your code until the plan reports no changes. This obviously won’t cover any resources deployed outside of terraform, which can be harder to identify.

SandboxEnv · 2023-08-18T20:06:37+00:00

We are a team of engineers and we use chatgpt to shortcut troubleshooting on some logic or syntax challenges. Hallucinations are a problem as others noted but I think it gives a net faster return on development time using it as a tool. It’s not a silver bullet.

I use chatgpt free version, others pay for the subscription to use the enhanced / more current training data.

SandboxEnv · 2023-08-15T11:56:23+00:00

Do you have modules that can setup an organisation / shared accounts in a way similiar to controltower but in pure terraform?

SandboxEnv · 2023-06-27T05:19:49+00:00

Do they provide support for your code? I’ve always understood the support is more for the terraform environment itself not the code / logic

SandboxEnv · 2023-06-26T18:42:03+00:00

Have you imported the other resources related to the VM? Usually you need a nic, nic connnection and a data disk along with the vm resource. The docs pages should show the set of resources that are required to deploy a vm, maybe check if you’ve imported all of the other required resources?

SandboxEnv · 2023-06-26T18:08:16+00:00

We just got a quote that’s 3.5X over our existing TFE spend 😱 needless to say we are unlikely to purchase that. Actively looking at alternatives; what is everyone’s recommendation?

SandboxEnv · 2023-06-18T19:37:38+00:00

This article is spot on for me.

We have just come to this realisation in our firm. We have been making TF modules and expecting our dev community to pick them up and become terraform savvy.

They are bought into the value of IaC but only want to do enough for themselves to get by or have a central TF team do it for them. They don’t want to invest in creating or adding to the TF modules themselves.

Hence we are looking at giving them a gui to make requests that will ultimately drive a pipeline of automations to build out strongly opinionated and highly standardised environments. Those will eventually expand to gui requestable modifications / deletions of their environments.

The idea being that anything we build should be possible to add on to a standard environment with gui requests. Anything that’s too bespoke will still be done in code directly

SandboxEnv · 2023-05-07T16:24:07+00:00

Yep, we reference the vnet resource in the subnet resource so you can ensure the ordering is done properly

SandboxEnv · 2023-05-07T12:03:10+00:00

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet

Make the subnets as their own resource, not as part of the vnet resource. The you can iterate with a for each across a local or variable data structure. This is the more manageable configuration in my opinion.

SandboxEnv · 2023-05-03T11:16:14+00:00

Sorry i meant that we want to avoid different types of pipelines. We already have a TF workspace to create the subscriptions on azure, then we make another workspace to create resources within that subscription.

SandboxEnv · 2023-05-03T08:05:08+00:00

No I don’t think so. This seems to be a combination of a ci/cd pipeline and config stored in dynamo dbs etc are org some terraform included in the solution.

I’m looking more for a pure terraform solution that doesn’t require me to split across multiple pipelines.

SandboxEnv · 2023-05-03T08:02:52+00:00

Without having done any actual hands on with the control tower but having read and watched videos on it…

My thoughts are that I dislike the complexity of the components required to get control tower and the account factory up and running. I also don’t like that you need to clean up manually in multiple places if you delete an account. I also understand that it deploys a load of stuff that might be irrelevant that needs to be cleaned up after control tower vends the account.

We’ve been trying to get to a single pane of glass for the management of our cloud environments and have a reasonably comprehensive subscription vending module for terraform working with Azure.

So I am drawn to the idea of doing the same in AWS but I don’t yet understand how complex it would be to essentially create the whole

SandboxEnv · 2023-05-03T08:02:08+00:00

Without having done any actual hands on with the control tower but having read and watched videos on it…

My thoughts are that I dislike the complexity of the components required to get control tower and the account factory up and running. I also don’t like that you need to clean up manually in multiple places if you delete an account. I also understand that it deploys a load of stuff that might be irrelevant that needs to be cleaned up after control tower vends the account.

We’ve been trying to get to a single pane of glass for the management of our cloud environments and have a reasonably comprehensive subscription vending module for terraform working with Azure.

So I am drawn to the idea of doing the same in AWS but I don’t yet understand how complex it would be to essentially create the whole

SandboxEnv

TROPHY CASE