Jacob is a Software Engineer at Spacelift with experience working in high scale distributed systems environments: building storage systems, service meshes, observability infrastructure, and developer experience workflows.

All posts by Jacob Martin - Infrastructure as Code Expert

Jacob Martin

Author title

Title category

Get all the latest content on Infrastructure as Code, DevOps, Spacelift features & news directly to your inbox!

Level up your IaC knowledge. Stay up to date with educational devops guides & news in infrastructure as code, cloud & more!

Managing Infrastructure at Scale | Spacelift Blog

AWS: Spacelift Reduces Time Spent on Cloud Management by 90% 🚀

applepodcasts

spotify

missionctrl

Welcome to missionCTRL, a show dedicated to exploring the frontiers of modern DevOps. Listen (or watch) as we sit down with the practitioners who are pushing the boundaries of development

Want to level up your Terraform knowledge? Explore our tutorials and step-by-step guides written by Terraform experts. Learn Terraform best practices and solutions to the most difficult problems.

Terraform Guides and Tutorials | Spacelift Blog

Terraform

Data sources in Terraform are used to get information about resources external to Terraform, and use them to set up your Terraform resources. For example, a list of IP addresses a cloud provider exposes.

We can find excellent examples of data source usage in the <a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc#example-usage" target="_blank" rel="nofollow noopener">AWS provider docs</a>:

In this scenario, we may have created our aws_vpc manually, because it also contains other manually created resources, and now we want to start adding Terraform managed resources to it.
In order to do this, we use the aws_vpc data source to find the manually created aws_vpc, and then use its properties to configure our aws_subnet.
Another fancy use case would be to use the <a href="https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository_pull_requests" target="_blank" rel="nofollow noopener">GitHub provider Pull Requests data source</a> to list all Pull Requests, and then provision an on-demand preview environment for each Pull Request. It would go along the lines of:

<ul>
<li><a href="https://spacelift.io/blog/terraform-in-ci-cd" target="_blank" rel="noopener"><span data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;How to Deploy your Infrastructure in CI/CD using Terraform&quot;}" data-sheets-userformat="{&quot;2&quot;:513,&quot;3&quot;:{&quot;1&quot;:0},&quot;12&quot;:0}">How to Deploy your Infrastructure in CI/CD using Terraform</a></li>
<li><a href="https://spacelift.io/blog/drift-detection" target="_blank" rel="noopener"><span data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;Infrastructure Drift Detection and How to Fix It&quot;}" data-sheets-userformat="{&quot;2&quot;:513,&quot;3&quot;:{&quot;1&quot;:0},&quot;12&quot;:0}">Infrastructure Drift Detection and How to Fix It</a></li>
<li><a href="https://spacelift.io/blog/github-actions-terraform" target="_blank" rel="noopener"><span data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;Managing Terraform with GitHub Actions &amp; How to Scale&quot;}" data-sheets-userformat="{&quot;2&quot;:513,&quot;3&quot;:{&quot;1&quot;:0},&quot;12&quot;:0}">Managing Terraform with GitHub Actions &amp; How to Scale</a></li>
</ul>

By default, Terraform will refresh all data sources before creating a plan. You can also explicitly refresh all data sources by running <code>terraform refresh</code>.
Occasionally you’ll have data sources that change very often and would like to keep your resources in sync with those changes. The easiest way to achieve this is to just run Terraform every few minutes or so, do a refresh, and apply all resulting changes.
You could also use something akin to <a href="https://docs.spacelift.io/concepts/stack/drift-detection" target="_blank" rel="noopener">Spacelift’s Drift Detection</a> to automate this process and make sure it doesn’t interfere with your manual Terraform executions.

If you are struggling with Terraform automation and management, check out Spacelift. It helps you manage Terraform state, build more complex workflows, and adds several must-have capabilities for end-to-end infrastructure management.

5 Ways to Manage Terraform at Scale - Best Practices

How Spacelift Can Improve Your Infrastructure as Code

Terraform Tutorial - Getting Started With Terraform on AWS

Data sources in Terraform are used to get information about external resources and use them to set up Terraform resources. See the example usage. 

13-terraform-data-sources

Terraform data sources

Terraform Data Sources - How They Are Utilised (Example)

Sumeet Ninawe

Terraform is a product by Hashicorp that uses Infrastructure as Code (IaC) to provision cloud infrastructure.
In this tutorial, we will learn step-by-step how to use Terraform, enabling you to manage cloud infrastructure with IaC.
<div class="p-rich_text_section">This Terraform tutorial includes:</div>
<ol class="p-rich_text_list p-rich_text_list__ordered" data-stringify-type="ordered-list" data-indent="0" data-border="0">
<li data-stringify-indent="0" data-stringify-border="0"><a href="https://spacelift.io/blog/terraform-tutorial#the-benefits-of-using-terraform">The Benefits of Using Terraform</a></li>
<li data-stringify-indent="0" data-stringify-border="0"><a href="https://spacelift.io/blog/terraform-tutorial#terraform-features">Terraform Features</a></li>
<li data-stringify-indent="0" data-stringify-border="0"><a href="https://spacelift.io/blog/terraform-tutorial#installation-and-setup">Installation and Setup</a></li>
<li data-stringify-indent="0" data-stringify-border="0"><a href="https://spacelift.io/blog/terraform-tutorial#terraform-providers">Terraform Providers</a></li>
<li data-stringify-indent="0" data-stringify-border="0"><a href="https://spacelift.io/blog/terraform-tutorial#resources">Resources</a></li>
<li data-stringify-indent="0" data-stringify-border="0"><a href="https://spacelift.io/blog/terraform-tutorial#terraform-cli">Terraform CLI</a></li>
<li data-stringify-indent="0" data-stringify-border="0"><a href="https://spacelift.io/blog/terraform-tutorial#terraform-variables">Terraform Variables</a></li>
<li data-stringify-indent="0" data-stringify-border="0"><a href="https://spacelift.io/blog/terraform-tutorial#state-management">State Management</a></li>
<li data-stringify-indent="0" data-stringify-border="0"><a href="https://spacelift.io/blog/terraform-tutorial#remote-backends">Remote Backends</a></li>
</ol>

Traditionally, without IaC, the cloud infrastructure was managed manually. This was not the most efficient way and was prone to manual errors. Consistency was a challenge, especially when many servers and clusters were to be managed.
Configuration management tools existed, but the infrastructure&#8217;s support was very limited. Application code development and management of that code has evolved a lot with versioning tools, DevOps toolchains, development practices, and delivery methodologies. Terraform introduced the concept of <a href="https://spacelift.io/blog/infrastructure-as-code" target="_blank" rel="noopener">Infrastructure as Code</a>, which by default leverages these advantages to managing infrastructure. 
Let us take a look at a few of the benefits Terraform has to offer.
<table>
<tbody>
<tr>
<td>Benefits</td>
<td>Description</td>
</tr>
<tr>
<td>Consistency
&nbsp;</td>
<td>With infrastructure being managed via code, it becomes very easy to version and track changes. Since cloud resource provision happens logically, we can rely on its consistency to create a scaled set of infrastructure.
&nbsp;</td>
</tr>
<tr>
<td>Automation
&nbsp;</td>
<td>Terraform workflow manages <a href="https://spacelift.io/blog/terraform-resource-lifecycle" target="_blank" rel="noopener">the lifecycle</a> of cloud resources &#8211; from their creation till they are destroyed or decommissioned. This provides an opportunity to enable end-to-end automation right from the infrastructure layer. Automation workflows also assist in strengthening deployment strategies. Read more about: <a href="https://spacelift.io/blog/terraform-automation" target="_blank" rel="noopener">Terraform automation</a>.
&nbsp;</td>
</tr>
<tr>
<td>Less Risk
&nbsp;</td>
<td>Using Terraform to develop infrastructure as code provides validation beforehand. I also isolates manual efforts and errors associated with it. Thus once developed, infrastructure provisioning and de-provisioning cycles execute identically.
&nbsp;</td>
</tr>
<tr>
<td>Modular and DRY
&nbsp;</td>
<td>Infrastructure can be developed in a modular way so that it can be reused across multiple projects. This approach also enables organizations to ingrain their security and governance practices around infrastructure resources, thus offsetting the initial efforts spent every time a new project kicks off.
&nbsp;</td>
</tr>
</tbody>
</table>
<span data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;Added: Take a look at 8 Popular Terraform Alternatives.&quot;}" data-sheets-userformat="{&quot;2&quot;:513,&quot;3&quot;:{&quot;1&quot;:0},&quot;12&quot;:0}">You can also take a look at <a href="https://spacelift.io/blog/terraform-alternatives" target="_blank" rel="noopener">8 Popular Terraform Alternatives</a>.

Some of the key features of Terraform are
<table>
<tbody>
<tr>
<td>Feature       </td>
<td>Description</td>
</tr>
<tr>
<td>Declarative
&nbsp;</td>
<td>Terraform uses Hashicorp Configuration Langauge which provides a declarative syntax to develop infrastructure as code. The HCL configuration language helps declare the target state of cloud resources to be provisioned.
&nbsp;</td>
</tr>
<tr>
<td>Cloud Agnostic
&nbsp;</td>
<td>Terraform is a great tool to automate <a href="https://spacelift.io/blog/multi-cloud-infrastructure-strategy" target="_blank" rel="noopener">multi-cloud deployments</a>. Its modular architecture enables working with multiple well-known cloud vendors simultaneously.
&nbsp;</td>
</tr>
<tr>
<td>Ecosystem
&nbsp;</td>
<td>The provider and module ecosystem of Terraform is well established. Certified modules and <a href="https://spacelift.io/blog/terraform-providers" target="_blank" rel="noopener">providers</a> are available on Terraform Registry to be readily used. Customers can create and publish their own modules both publicly and privately.
&nbsp;</td>
</tr>
<tr>
<td>Extendible
&nbsp;</td>
<td>Terraform can be extended to support lesser-known or private data centers.
&nbsp;</td>
</tr>
<tr>
<td>Agentless
&nbsp;</td>
<td>Terraform works with the programmatic access provided by cloud provider APIs. Thus there is no need to install agents.
&nbsp;</td>
</tr>
</tbody>
</table>
With that in mind, let us get our hands dirty by installing and setting up our Terraform environment.

<h3>Terraform</h3>
Terraform comes in two forms: open source and Terraform Cloud. Terraform Cloud is an online hosted platform that provides a UI for automation of provisioning tasks and management, but the code still needs to be manually developed.
You can also check out <a href="https://spacelift.io" target="_blank" rel="noopener">Spacelift</a>, a sophisticated and compliant infrastructure delivery platform that makes Terraform management easy.
For the sake of this tutorial, we would work with an open-source version that offers all of the same features for self-hosting. The Terraform binary can be downloaded from the <a href="https://www.terraform.io/downloads" target="_blank" rel="nofollow noopener">Terraform website</a>.

install-terraform-terraform-tutorial

Download Terraform

Choose the OS and package manager or binary download option as per the choice of your system. The screenshots in this tutorial are based on macOS. Apart from the setup, the steps described in this tutorial are the same across all the operating systems.
If you need more details, see a complete guide on <a href="https://spacelift.io/blog/how-to-install-terraform" target="_blank" rel="noopener"> downloading and installing Terraform on Windows, Linux, and macOS</a>.
The installation steps generally consist of downloading the appropriate binary and setting up the path variable. Once installed successfully, test if the installation works by checking the version below. When writing this tutorial, the latest version of Terraform was v1.2.3.

The code for this tutorial is available at this <a href="https://github.com/sumeetninawe/tf-tuts" target="_blank" rel="nofollow noopener">github repository</a>.
<h3>AWS CLI</h3>
Since we will be working with AWS to provision our infrastructure using Terraform, we also need to install AWS CLI. Follow the steps listed <a href="https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html" target="_blank" rel="nofollow noopener">here</a>, to install the latest version of AWS CLI for your OS. After a successful installation, check the version of AWS CLI as shown below. When writing this tutorial, the latest AWS CLI version was 2.7.9.

Terraform uses AWS CLI to make API calls to execute any provisioning task. Log in to AWS Web Console and create a user for Terraform. The user needs programmatic access to AWS, so check the corresponding checkbox only.

installing-aws-cli-terraform-tutorial

installing AWS CLI

For now, provide the administrative role to this user. However, it is recommended to follow the principle of least privilege when working on projects.

setting-premissions-terraform-tutorial

Set permissions

Once the user is successfully created, take a note of the Access Key ID and Secret Access Key.

access-key-terraform-tutorial

Access Key ID and Secret Access Key

We need to configure these credentials in the AWS CLI we just installed. Open the terminal and run the <code>aws configure</code> command to configure default credentials. I have left the region as the default value since I am using the same. Select the region of your choice if required.

With this, we have successfully set up our environment to begin working with Terraform and AWS.
Note: Terraform is able to make API calls without AWC CLI if you hardcode credentials or use some other method to access AWS.

Terraform implements a modular approach in its application architecture. The Terraform binary we downloaded is the core module required to perform core Terraform functions. Any operation or a CLI command that does not involve invoking any cloud provider API are core functions of this binary.
To work with a cloud provider, AWS in our example, Terraform instantiates a corresponding module. It downloads the binary in the root directory of the project. We instruct Terraform to use a specific version of the <a href="https://spacelift.io/blog/terraform-aws-provider" target="_blank" rel="noopener">AWS provider</a> so that our Terraform project can provision AWS resources.
Now is the time to create our Terraform project. Create a directory in your system and open this path into an IDE of your choice. All the Terraform code goes into <code>.tf</code> files created in the root of this directory. Create the first file named <code>provider.tf</code> into this empty directory and write the provider block as below.

As mentioned before, Terraform uses HCL syntax. A declarative configuration language that helps us declare the cloud resources we want to provision using Terraform. In the <code>provider.tf</code> file, we have specified a terraform block, within which we have declared another block that represents <code>required_providers</code>. 
<code>required_providers</code> contains an attribute <code>aws</code> to which an object with a couple of properties is assigned. These properties define the <code>source</code> and desired <code>version</code> of the AWS provider. Provider-specific documentation is maintained in the registry. To check the <a href="https://registry.terraform.io/providers/hashicorp/aws/latest" target="_blank" rel="nofollow noopener">latest version</a> of the available provider and configure various types of resources with AWS, refer to the <a href="https://registry.terraform.io/" target="_blank" rel="nofollow noopener">Terraform registry</a>.
The above code instructs Terraform to initialize the AWS provider with version 4.19.0. Save the <code>provider.tf</code> file. To initialize our Terraform project, run <a href="https://spacelift.io/blog/terraform-init" target="_blank" rel="noopener"><code>terraform init</code></a> command in the root directory and observe the output as below.

As we can see, Terraform has successfully initialized the desired version of the AWS provider. If we look at our root directory, here is what it contains.

provider-tf-terraform-tutorial

provider.tf

Apart from <code>provider.tf</code> and README.md file, we have <code>.terraform.lock.hcl</code> file and a sub-directory named <code>.terraform</code>. The lock file here is used to manage checksums for the downloaded module binaries, which we will discuss in the next sections. <code>.terraform</code> sub-directory is the target where AWS provider plugin binary is downloaded. If you have followed the steps successfully till now, this is how your directory should look.
At this point, we have set up the Terraform provider, and now we would move on to create some resources in our AWS console using Terraform.

Create another file named <code>main.tf</code> in the same directory. The intention of creating this file is to declare the resources we want to create in AWS. It is completely okay to skip creating this file and just append <code>provider.tf</code> file with the below code. However, creating separate files helps manage the Terraform code in a better way. Add the below code to <code>main.tf</code> file.

Here we have declared a resource block of type “<code>aws_instance</code>”. This instructs Terraform that we want to create an EC2 instance resource in AWS with given attributes. <code>aws</code> in <code>aws_instance</code> helps Terraform identify the provider it would require to perform this provisioning task.
Note: To identify the correct resource type and associated attributes, refer <a href="https://registry.terraform.io/" target="_blank" rel="nofollow noopener">Terraform Registry</a>.
The second parameter is “<code>my_vm</code>”, which is an internal identifier. Its purpose is to refer to this particular EC2 instance elsewhere in the code. We can assign any name to this identifier.
Amongst the resource attributes, we have declared the <code>ami</code> &#8211; which defines the image we want to use to create this EC2 instance. The chosen AMI here is an Ubuntu image in Central Europe. We have also specified the <code>instance_type</code> to define the size of the EC2 instance to be created.
Additionally, we have assigned a <code>tag</code> “Name” with the value “My EC2 Instance”.
With this, we have successfully created the code to create an EC2 instance in AWS using Terraform.

We have created the Terraform code to provision our AWS resources, but we have not yet provisioned them. This is what we would do in this section. Let us take a look at some of the important Terraform CLI commands, that also help us understand the resource lifecycle managed by Terraform.
<h3>Format (<code>fmt</code>)</h3>
Assuming we have already written some Terraform code with correct syntax, it may still lack proper indentations. A properly indented code is very valuable as it improves readability. <code>terraform fmt</code> command helps us format the Terraform code for all <code>.tf</code> files in the given directory.
In your project directory, where you have created the <code>main.tf</code> and <code>provider.tf</code> files, run <code>terraform fmt</code> to achieve well-formatted Terraform code in microseconds.

It outputs a file name &#8211; <code>main.tf</code>. On closer observation, in the <code>main.tf</code> file, in the code we created before, the attributes &#8211; although aligned as per the positioning of “=” sign, there are unnecessary spaces between the name and the “=” sign. Now that we have formatted the code, these spaces are removed.
The output just represents a list of all those files which are reformatted by <code>fmt</code> command.
<h3>Initialize (<code>init</code>)</h3>
We have already worked with this command before. Usually, this command is run only at the beginning of a Terraform project &#8211; as far as we stick with the same provider. However, if we decide to add more providers, or change the version of existing ones and try to execute the Terraform code without initializing &#8211; it throws an error. For new developers, this is a common step that is missed.
In our <code>provider.tf</code> file, change the version attribute of <code>aws</code> from “4.19.0” to “4.18.0” and run <code>terraform plan</code> command in the console.

As it must be clear from the error message, Terraform identifies this change and asks us to initialize this directory again to update the appropriate provider module. Run <code>terraform init -upgrade</code> now.

Thus, running <code>init</code> command with the -upgrade flag has helped us match the version of the provider module to be used.
<h3>Plan (<code>plan</code>)</h3>
Plan command helps us validate the resource declaration we have done using Terraform. It takes into account all the Terraform configuration files and identifies any syntax errors, version miss-match errors (like above), etc.
Additionally, it validates the code with the state file (discussed further) to identify and highlight resources that are to be created, updated, or deleted if we choose to execute the current version of the code. It is a great way to have a snapshot of changes before we apply them to the target set of infrastructure.
In our code directory, run <code>terraform plan</code> and observe the output.

There is quite a lot of information provided in the output here. In summary, it highlights all the resources which will be created. Since this is the first time we are going to run the code &#8211; there are no changes or deletions highlighted. The plan summary at the end of the output is a good way to match the stats when we deal with a larger set of resources.
Read more about <a href="https://spacelift.io/blog/terraform-security-group" target="_blank" rel="noopener">Terraform security groups</a>.
<h3>Apply (<code>apply</code>)</h3>
Now that we have verified the actions that Terraform will perform if we choose to execute this code, let us go ahead and create these resources. <code>terraform apply</code> command helps us provision all the resources we have declared in the <code>main.tf</code> file. When you run <code>terraform apply</code>, it again highlights the output similar to the <code>plan</code> command, and asks for our final confirmation as below:

Type in ‘yes’ and hit enter.

Terraform starts to provision the EC2 instance with the attributes we have specified. For all those attributes which are not specified, it assumes the default value. As seen from the output, it took 31 seconds for Terraform to successfully provision our EC2 instance. Verify the same by logging into your AWS console.

provision-ec2-instance-terraform-tutorial

EC2 instance

Under the hood, Terraform uses the AWS provider plugin, which in turn makes programmatic API calls to AWS using the credentials we configured during setup.
Congratulations, if you have managed to reach this point!
<h3>Destroy (<code>destroy</code>)</h3>
Terraform manages the lifecycle of infrastructure. This also means, that if it is responsible for the creation of a particular resource, it is also responsible for its deletion or destruction. Terraform destroy command helps us delete all these resources completely.
To delete the EC2 instance created using <code>apply</code>, run <a href="https://spacelift.io/blog/how-to-destroy-terraform-resources" target="_blank" rel="noopener"><code>terraform destroy</code></a> to terminate the same instance as below.

Here, it again asks for our confirmation with an output that highlights the resources which will be deleted. If we choose to say anything other than ‘yes’, Terraform will abort this operation. Since the plan summary correctly indicates that one resource will be destroyed &#8211; which is as per our expectations &#8211; let us go ahead and confirm the deletion.

As we can see, Terraform has successfully deleted the EC2 instance. Verify the same from the AWS EC2 console.

delete-ec2-instance-terraform-tutorial

delete EC2 instance

Till now we have been able to create and destroy AWS EC2 instances using Terraform. Terraform commands we just discussed are the most important commands which every developer should be aware of. These commands are vital, in the way that they define the complete end-to-end lifecycle of the resources being managed via Terraform.

<ul>
<li><a href="https://spacelift.io/blog/terraform-best-practices" target="_blank" rel="noopener">12 Best Practices for Using Terraform</a></li>
<li><a href="https://spacelift.io/blog/terraform-automation" target="_blank" rel="noopener">How to Automate Terraform Deployments and Infrastructure Provisioning</a></li>
<li><a href="https://spacelift.io/blog/how-specialized-solution-can-improve-your-iac" target="_blank" rel="noopener">How to Improve Your Infrastructure as Code using Terraform</a></li>
</ul>

Variables plan an important role when dealing with Terraform projects. So far we have hardcoded all the values like AMI, Instance Type, and Tags, required to provision our EC2 instance. Imagine doing this for multiple resources &#8211; EC2 instances with various configurations, RDS instances, VPCs, etc. &#8211; this approach can quickly become cumbersome.
Variables introduce the much-needed flexibility and dynamics required to manage larger sets of infrastructure. Variables also play an important role when applying the DRY (don’t repeat yourself) principle when creating modules. We will discuss modules in the upcoming sections.
There are mainly three types of variables &#8211; local, input, and output. We will discuss this one by one.
<h3>Local variables</h3>
As the name suggests, these are locally declared variables. These variables provide a name for any attribute value that is to be used anywhere in the Terraform code. <a href="https://spacelift.io/blog/terraform-locals" target="_blank" rel="noopener">Local variables</a> are especially useful if we were to refer to these values in multiple places in our Terraform code. We can perform various operations to calculate these values based on multiple other values as well.
For the sake of our example, we keep it simple. Create a file named <code>variables.tf</code> in the root directory and declare the local variables as below.

Here we have declared all the hardcoded values into their corresponding local variables. Local variables, once declared, can be referred to anywhere within the module. To refer to these variables in our <code>main.tf</code> file, use the syntax <code>local.&lt;variable_name&gt;</code> at appropriate places. After the changes are done to <code>main.tf</code> reflect usage of variables in main.tf file, it should look like below.

To verify if we have correctly declared and referred local variables in our code, run <code>terraform plan</code> and observe that it does not throw any error. At this moment, it is enough to rely on the planned output for verification.
<h3>Input Variables</h3>
At times, there are situations where the values are to be provided to for the execution of code during run time. Local variables only work locally, they lack the ability to accept and assign values dynamically during runtime. 
Input variables provide this function. This ability also helps us define input values for modules to accept values on the go from the parent module.
Let us redefine our <code>variables.tf</code> file with input variables instead of <code>locals</code> for the same attributes.

We have created three variables &#8211; all of the type string &#8211; and provided them with descriptions. Description of input variables helps in generating documentation if we decide to publish this as a module on Terraform registry. Do the corresponding changes to <code>main.tf</code> file to use input variables instead of locals.

When we run <code>terraform plan</code> command at this point, it validates the code successfully. However, try to run <code>terraform apply</code> and observe the output.

Here Terraform asks to provide the value for ‘Ubuntu AMI ID’, and it would ask the same for the other two variables consecutively. This is just to prove that Terraform allows us to provide these values dynamically during runtime.
If we want to avoid supplying values one by one in CLI, we can declare default values in the same <code>variables.tf</code> file as shown below.

Now if we run <code>terraform apply</code>, it will automatically assume the default values provided in this file and proceed towards provisioning of the EC2 resource.
A better way to manage these default values is to create another file named <code>terraform.tfvars</code>. Terraform automatically interprets this file as a group of key-value pairs and maps them with the declared variables in the <code>variables.tf</code> file.
Clear out all the default values from <code>variables.tf</code> file and create <code>terraform.tfvars</code> file as shown below. The syntax is quite straightforward &#8211; on every line, there is a key assigned with a value.
Let us try to run <code>terraform plan</code> command at this point. As we can see, Terraform indicates a successful plan output.
Note: The name <code>terraform.tfvars</code> is a prerequisite. If we choose any other name before <code>.tfvars</code> extension then the file needs to be explicitly supplied in the CLI command with the -var-file flag. Optionally, we can also use the <code>.auto.tfvars</code> extension so that Terraform can pick this file automatically to read variable values.
<h3>Output Variables</h3>
Till now we have been able to create EC2 instances using Terraform code and CLI commands. However, to get the details about that EC2 instance we log in to the AWS Console and see the required attributes.
<a href="https://spacelift.io/blog/terraform-output" target="_blank" rel="noopener">Output Variables</a> provide a way to retrieve the details we are interested in, in the same CLI terminal. Additionally, output variables help &#8220;return” values to the parent modules for further processing. 
We define output variables in the same variables.tf file. In general, you can define Output or Input variables in any .tf file and they will be interpreted by Terraform as far as they reside in the working directory.
Let’s say we are interested in knowing the public IP and Instance ID of the EC2 instance which will be provisioned. We declare the output variables as below. Append the below code in the variables.tf file.

Run terraform apply and observe the output.

The plan output now also indicates the values which will be known after <code>apply</code>. It chooses to display these values because we have declared their corresponding output variables. Add more output variables to know more about your instance after provisioning.
Run terraform apply to see the values being generated.

As we can see, Terraform has successfully provisioned the EC2 instance and we also have the instance ID and public IP information handy. We did not have to log in to the AWS console to find the same.
Note: As far as the naming convention of the files is concerned, apart from .tfvars, there is no constraint for naming these files like we have done until now. You could name them as per your wish &#8211; Terraform considers all the files with <code>.tf</code> extension in any given directory. The names <code>provider</code>, <code>variables</code>, and <code>main</code> are generic conventions used in the ecosystem.

State management in Terraform is one of the crucial things to know and learn about especially when working with teams. In this section, we dive deep into understanding how state files in Terraform work and the impact it creates on the resource lifecycle management workflow, which then offers a great introduction to the next section about remote backends.
Until now we have created multiple files and if we look at our root directory, the system/Terraform seems to create a few more files. Now is the right time to revisit them.

tf-state-terraform-tutorial

tfstate

We have already discussed the <code>.terraform</code> directory, <code>.terraform.lock.hcl</code> file, <code>main.tf</code>, <code>provider.tf</code>, <code>variables.tf</code>, and <a href="https://spacelift.io/blog/terraform-tfvars" target="_blank" rel="noopener"><code>terraform.tfvars</code></a> files. By now we know the purpose of these files. The two new files created are &#8211;
<ol>
<li style="font-weight: 400;" aria-level="1"><code>terraform.tfstate</code> </li>
<li style="font-weight: 400;" aria-level="1"><code>terraform.tfstate.backup</code></li>
</ol>
As a quick recap of our journey till now, we have set up the Terraform environment and declared the configuration/code to create an EC2 instance in AWS. We also destroyed the resource which we created in this process. We have seen how Terraform performs these operations under the wraps and updates the status in the CLI terminal.
Notice how Terraform only works with the resources created using Terraform alone. AWS resources that are created using Terraform &#8211; only those resources are destroyed. If we had multiple EC2 instances existing before the one created by Terraform, those resources will not be affected.
Terraform manages only those resources that the code written by us creates. For this, Terraform maintains the mapping information regarding the resources defined in the configuration and their corresponding real-world cloud entities. This mapping is saved in the state files.
<code>Terraform.tfstate</code> file thus maintains this mapping which in turn helps Terraform to identify the current state of the resources which are already provisioned, and the resources yet to be provisioned, or to be deleted.
When configuring infrastructure as code using Terraform’s declarative language, we essentially define the desired target state of the infrastructure. Any modifications to this code &#8211; addition or removal of resources &#8211; define the newer target state.
With Spacelift, you can <a href="https://docs.spacelift.io/vendors/terraform/infracost" target="_blank" rel="noopener">get insight</a> into application state, resource usage, changes, and more.
When the modified configuration is executed, i.e. terraform plan/apply command is run &#8211; Terraform compares the modifications made with the state files, for the corresponding existence in the real world.
If additional resources are found in the configuration, Terraform plans to provision those resources in the next <code><code>apply</code></code> command execution. Whereas, if lesser resources are encountered, Terraform identifies the removed resources by comparing the configuration with the state file and plans to destroy them.
Thus, the State file &#8211; <code>terraform.tfstate</code> &#8211; is an extremely important piece of information maintained by Terraform itself. The <code>.terraform.tfstate.backup</code> file &#8211; as the name suggests, the backup file holds the previous execution&#8217;s backup.
Note: Terraform CLI offers various commands to query and modify state information. These commands are directly related to this state file. It is recommended to avoid any manual changes as that approach is risk-prone. Always use the state manipulation commands for operations related to the state file.
<h3>State lock file</h3>
However, there is one more file involved in all of this &#8211; <code>.terraform.tfstate.lock.info.</code> We do not have it in the previous screenshot. Its existence is temporary and it only exists when <code>plan</code>, <code>apply</code>, or <code>destroy</code> commands are being executed.
To observe this behavior, run <code>terraform apply</code> in the root directory of our project and do not enter anything when Terraform asks for the confirmation step below.

Hold on to this moment, and observe the file directory.

file-directory-terraform-tutorial

file directory

Here we can see <code>.terraform.tfstate.lock.info</code> file is created automatically. If you now enter ‘yes’, this file exists for the duration until Terraform successfully provisions these resources. Similar behavior is observed for the <code>destroy</code> command.
The purpose of this lock file is to avoid race conditions. Imagine a scenario where Terraform environment is created in a shared VM and multiple developers try to apply their changes simultaneously. For Terraform to decide and execute the applied changes in a particular sequence, it uses this lock file.
You can stay on top of everything you’re responsible for with Spacelift &#8211; helping you <a href="https://docs.spacelift.io/concepts/resources" target="_blank" rel="noopener">visualize your resources</a>, <span data-slate-fragment="JTdCJTIyb2JqZWN0JTIyJTNBJTIyZG9jdW1lbnQlMjIlMkMlMjJkYXRhJTIyJTNBJTdCJTdEJTJDJTIybm9kZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJibG9jayUyMiUyQyUyMnR5cGUlMjIlM0ElMjJwYXJhZ3JhcGglMjIlMkMlMjJpc1ZvaWQlMjIlM0FmYWxzZSUyQyUyMmRhdGElMjIlM0ElN0IlN0QlMkMlMjJub2RlcyUyMiUzQSU1QiU3QiUyMm9iamVjdCUyMiUzQSUyMnRleHQlMjIlMkMlMjJsZWF2ZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJsZWFmJTIyJTJDJTIydGV4dCUyMiUzQSUyMnJlZ2FyZGxlc3MlMjBvZiUyMHRoZSUyMHRlY2hub2xvZ3klMjB1c2VkJTIwJTIyJTJDJTIybWFya3MlMjIlM0ElNUIlNUQlMkMlMjJzZWxlY3Rpb25zJTIyJTNBJTVCJTVEJTdEJTVEJTJDJTIya2V5JTIyJTNBJTIyMmU4NDI2MDJiNjUzNDE4ZGEzYmFjY2E1ZDhkYzY2OWQlMjIlN0QlNUQlMkMlMjJrZXklMjIlM0ElMjJlODcxNjcxY2RkZDE0YWU5ODJlZDQ5MmJiZjg5N2ZjOCUyMiU3RCU1RCUyQyUyMmtleSUyMiUzQSUyMmM3OGZlMDFiN2Y3YzRhNzViODVhZjBiNzFmMjZhOWJlJTIyJTdE">regardless of the technology used.
If we take a look at the lock file, it contains information in the JSON format as below. IT contains information about current execution &#8211; ID, Time when the execution is triggered, Who triggered it, Path to the state file etc.

Any request that is prioritized to be executed, creates this temporary information set &#8211; stored in <code>terraform.tfstate.lock.info</code> file &#8211; and temporarily puts on hold any other request till the current execution is completed.
Such simultaneous requests for Terraform’s execution is a very rare and rather non-suggested scenario, and the Terraform seems to have a fallback in the form of such a locking mechanism.
However, even if it is so when working in the team setup, this falls short of avoiding corruption in the resource configuration. In the next section, we will see why and how remote backends help address this issue.

The state files we discussed in the previous section reside in the same directory where the rest of the Terraform code is being developed. This is said to use a ‘local backend’. It works well if only one developer controls/contributes to the infrastructure being developed.
Another issue with working in local mode is &#8211; version control of the code itself. To leverage the advantage offered by version controlling systems like Git, it becomes risky to make state files part of the same remote git repository.
In a team where multiple developers are responsible for developing the Terraform code if we decide to commit the state file to the remote Git repo &#8211; causes variations in the state being stored locally by each developer. Multiple developers contributing to this repository can commit their own versions of state files. 
When pulled by other developers, it causes inconsistency. This results in corruption of state files and Terraform may end up creating unnecessary orphan resources or unnecessarily destroying required resources. This can cause a serious problem when the team is large enough and the set of infrastructure being developed is huge.
Additionally, state files may also contain sensitive information like credentials and keys, which can be risky to be stored in remote repositories.
Remote backends solve these problems. Using a remote backend essentially means using a separate storage service to securely store state files independently. Of course, this does not mean using remote Git repositories.

terrafrorm-tutorial-diagram

terrafrorm tutorial diagram

When we introduce a remote backend in the Terraform development workflow, the development may follow the below workflow.
<ol>
<li style="font-weight: 400;" aria-level="1">Multiple developers have copies of the Terraform code from remote Git repositories available locally. They make their changes and push these changes back to the remote Git repository.</li>
<li style="font-weight: 400;" aria-level="1">They execute <code>terraform plan</code> command from their local environment. This causes 
<ul>
<li style="font-weight: 400;" aria-level="2">Terraform to apply the lock over the state file in the remote backend.</li>
<li style="font-weight: 400;" aria-level="2">Query for state information.</li>
<li style="font-weight: 400;" aria-level="2">Perform validation and present the plan.</li>
<li style="font-weight: 400;" aria-level="2">Release the state file lock.</li>
</ul>
</li>
<li style="font-weight: 400;" aria-level="1">They execute <code>terraform apply</code> command from their local environment. This causes
<ul>
<li style="font-weight: 400;" aria-level="2">Terraform to apply the lock over the state file in the remote backend.</li>
<li style="font-weight: 400;" aria-level="2">Query for state information.</li>
<li style="font-weight: 400;" aria-level="2">Identify the differences.</li>
</ul>
</li>
<li style="font-weight: 400;" aria-level="1">Terraform applies the changes in the configuration to the cloud provider.</li>
<li style="font-weight: 400;" aria-level="1">Upon successful execution, Terraform releases the lock over the state file
<ul>
<li style="font-weight: 400;" aria-level="2">This works similarly for the destroy command</li>
</ul>
</li>
</ol>
In our example till now, we have been working with the local backend. We would now configure the remote backend to address shortcomings identified when using local file storage for state files.
A range of compatible backends are available and can be found <a href="https://www.terraform.io/language/settings/backends" target="_blank" rel="nofollow noopener">here</a>. For our example, since we are dealing with AWS, we would use S3 as our remote backend. This is not a necessity though, we can use any backend of our choice.
To use <a href="https://spacelift.io/blog/terraform-s3-backend" target="_blank" rel="noopener">Amazon S3 as a backend</a>, we need one S3 bucket. Let us add the configuration for the S3 bucket in our <code>main.tf</code> file as below.

Run terraform apply to provision this bucket in AWS. To use this bucket as backend, add <code>backend "s3"</code> block to the terraform block present in <code>provider.tf</code> file. The final contents of the <code>provider.tf</code> file should look like below.

If you try to run <code>terraform apply</code> it should throw an error. This is because we need to reinitialize Terraform since we have changed the backend information. Now when you run <code>terraform init</code>, it asks for confirmation to move the pre-existing “local” backend to the newly configured “s3” backend. This is exactly what we want. Type in ‘yes’ to confirm the same and hit enter.

If you see the output as above, it means we have successfully configured the given S3 bucket as our remote backend. Log in to the AWS console and verify the same.

s3-bucket-terraform-tutorial

remote backend

Caution: If you now try to destroy the resources using the <code>terraform destroy</code> command, it will also delete the newly created S3 bucket &#8211; which is currently serving as our remote backend.
Run <code>terraform destroy</code>, and observe the output without confirming the same.

This is one of those cases where we would want to remove the bucket from Terraform management. The other option would be to create an S3 bucket separately and use it to configure the remote backend in the terraform block.
Removing the S3 bucket from Terraform management implies that we need to update the state file by removing the corresponding S3 bucket information. Doing this manually is risky. Ideally, the state files should never be touched. Terraform provides various state file management commands. One such command is <code>terraform state rm</code> command which removes the given resource from the state file.
From the terminal, run <code>terraform state rm aws_s3_bucket.state_bucket</code>.

20 Terraform Best Practices to Improve your TF workflow

Terraform Cheat Sheet - 21 Terraform CLI Commands & Examples

What is Terraform? What is it Used For, How it Works (Examples)

In this step by step tutorial, you will learn how to use Terraform and get hands-on experience in managing cloud infrastructure with IaC.

83-terraform-tutorial

Terraform tutorial

Learn more about new features, updates, and Spacelift product announcements.

Product Features and Updates | Spacelift Blog

Product

Marcin Wyszynski

The introduction of Infrastructure as Code or IaC has transformed the way you can provision and deploy high-performance cloud-based IT infrastructures.
IaC tools, such as Terraform, have been integrated into DevOps toolchains, saving DevOps IaC teams from the excessive manual effort.
While these tools undoubtedly help accelerate building IT infrastructures, their limitations can impact DevOps’ ability to optimize and improve control of their IaC processes supporting future business needs.
In this article, you’ll learn about IT infrastructure limitations that IaC DevOps teams deal with on a daily basis and how Spacelift is able to get past them.

One of the most frequent challenges while using more generic IaC tools is the non-intuitive workflow driven by its reliance on pull requests. Some solutions offer multiple workspaces, but the result can be fragile and nondeterministic. 
Since there’s no concept of mapping projects to branches or tags, anyone commenting on an approved pull request can deploy arbitrary code to production, even if the approval was meant for a short-lived experimental environment.
Spacelift does not depend on pull requests. It is mostly driven by push and tag events, so building a sophisticated Git flow is much easier. Spacelift reports the outcome of its jobs as commit status checks, allowing you to block merging the code on a failing Spacelift check.
Triggering a run can be customized using <a href="https://docs.spacelift.io/concepts/policy/git-push-policy" target="_blank" rel="noopener">Git push policies</a>. Thanks to that, Spacelift can provide the same level of comfort and security to teams using one project per repository and those using mono repo with hundreds of interdependent projects. You can read more about our approach to VCS integration <a href="https://docs.spacelift.io/integrations/source-control/github#tracked-branches" target="_blank" rel="noopener">here</a>.

The majority of generic tools don’t offer access control models but rely on comments on pull requests to drive infrastructure deployments. While it is usually fine when a single repository drives a single Terraform project, it becomes a huge liability for more complex scenarios.
Spacelift ships with a sophisticated mechanism allowing administrators to declare <a href="https://docs.spacelift.io/concepts/policy/login-policy" target="_blank" rel="noopener">who can log in</a> (and under what circumstances) and what their <a href="https://docs.spacelift.io/concepts/policy/stack-access-policy" target="_blank" rel="noopener">level of access</a> to each of the managed projects should be. Even our <a href="https://docs.spacelift.io/integrations/slack" target="_blank" rel="noopener">Slack integration</a> can be subject to policy controls, allowing an admin to grant access to a project <a href="https://docs.spacelift.io/integrations/slack#managing-access-to-stacks-with-policies" target="_blank" rel="noopener">based on Slack-specific data</a> (think team, channel, user, etc.).

One thing that’s not in scope for most IaC solutions is the way to ensure that your infrastructure is compliant with industry best practices and your company policies.
Spacelift puts policy-as-code in the center of its value proposition and builds a consistent, <a href="https://docs.spacelift.io/concepts/policy/" target="_blank" rel="noopener">robust policy framework</a> on top of <a href="https://www.openpolicyagent.org/" target="_blank" rel="nofollow noopener">Open Policy Agent</a>. Apart from providing a comprehensive automated change review and ensuring compliance of your <a href="https://docs.spacelift.io/concepts/policy/terraform-plan-policy" target="_blank" rel="noopener">Terraform changes</a>, Spacelift uses the same approach to allow you to declare rules around the <a href="https://docs.spacelift.io/concepts/policy/login-policy" target="_blank" rel="noopener">account</a> and <a href="https://docs.spacelift.io/concepts/policy/stack-access-policy" target="_blank" rel="noopener">project access</a>, <a href="https://docs.spacelift.io/concepts/policy/git-push-policy" target="_blank" rel="noopener">handling push notifications</a>, <a href="https://docs.spacelift.io/concepts/policy/run-initialization-policy" target="_blank" rel="noopener">starting runs</a> and <a href="https://docs.spacelift.io/concepts/policy/task-run-policy" target="_blank" rel="noopener">triggering tasks</a>, and creating <a href="https://docs.spacelift.io/concepts/policy/trigger-policy" target="_blank" rel="noopener">relationships between projects</a>.

Handling interdependencies between projects has always been Terraform’s Achilles’ heel. The usual approach to this problem is adding another layer of abstraction in the form of a Terraform wrapper like <a href="https://terragrunt.gruntwork.io/" target="_blank" rel="nofollow noopener">Terragrunt</a>. But it’s only a partial solution as it breaks the problem into smaller chunks.
<a href="https://docs.spacelift.io/concepts/policy/trigger-policy" target="_blank" rel="noopener">Spacelift’s trigger policies</a> on the other hand provide a smart, declarative automation layer on top of vanilla Terraform. They allow you to plug into state changes of individual projects and declare dependencies that should be resolved, following the changes that have just been applied. Read more <a href="https://docs.spacelift.io/concepts/policy/trigger-policy" target="_blank" rel="noopener">here</a> to discover other exciting possibilities.

<ul>
<li><a href="https://spacelift.io/blog/spacelift-module-registry" target="_blank" rel="noopener">How to Use Spacelift Module Registry</a></li>
<li><a href="https://spacelift.io/blog/why-devops-engineers-recommend-spacelift" target="_blank" rel="noopener">Why DevOps Engineers Recommend Spacelift</a></li>
<li><a href="https://spacelift.io/blog/infrastructure-problems-that-spacelift-solves" target="_blank" rel="noopener"><span data-sheets-value="{&quot;1&quot;:2,&quot;2&quot;:&quot;Infrastructure Problems that Spacelift Solves&quot;}" data-sheets-userformat="{&quot;2&quot;:4224,&quot;10&quot;:2,&quot;15&quot;:&quot;Arial&quot;}">Infrastructure Problems that Spacelift Solves</a></li>
</ul>

Another problem to solve externally when using some of the generic tools is authoring and maintaining reusable <a href="https://spacelift.io/blog/what-are-terraform-modules-and-how-do-they-work" target="_blank" rel="noopener">Terraform modules</a> for your organization. Terraform is flexible in allowing modules to come from <a href="https://www.terraform.io/docs/modules/sources.html" target="_blank" rel="nofollow noopener">various sources</a>, but ensuring confidential access, as well as testing and versioning, are left to you, the user.
Until now, the golden standard in that regard has been the <a href="https://www.terraform.io/docs/cloud/registry/index.html" target="_blank" rel="nofollow noopener">private module registry from HashiCorp</a>. But Spacelift offers much more. Far from being just a glorified package manager, Spacelift adds a <a href="https://docs.spacelift.io/vendors/terraform/module-registry" target="_blank" rel="noopener">full CI solution for Terraform modules</a>, out of the box and free of charge. You can thus ensure that your <a href="https://spacelift.io/blog/spacelift-module-registry" target="_blank" rel="noopener">private modules</a> are healthy before you distribute them to the rest of your organization.

If you manage a single or a handful of rarely changing projects, it’s likely that you just set your IaC up once and forget about it. But in a more dynamic environment, where microservices come and go, new environments proliferate and new product teams require their own Terraform workspaces. The need to configure it each and every time become a major nuisance, putting a lot of pressure on your DevOps team.
Enter Spacelift. In Spacelift, much of the configuration can be handled by the project owners themselves—you can add Terraform and/or <a href="https://docs.spacelift.io/concepts/configuration/environment" target="_blank" rel="noopener">environment variables</a> and mount files (even inject Terraform code!) programmatically or through the GUI without the need for administrative privileges or changing the central server configuration. For administrators, adding new projects requires minimal hassle since there’s no need to set up webhooks or change any YAML. And it can all be done programmatically using Terraform.

What comes as a pleasant surprise to users of generic CI tools, Spacelift entities such as stacks, contexts, modules or policies can be managed in a declarative way using your favorite infra-as-code tool (this rule applies also to their configuration). Yes, that’s right—<a href="https://docs.spacelift.io/vendors/terraform/terraform-provider" target="_blank" rel="noopener">Spacelift offers a Terraform provider</a> that allows you to programmatically manage the lifecycle of its own resources.
Administrative stacks get credential-less access to the subset of our <a href="https://docs.spacelift.io/integrations/api" target="_blank" rel="noopener">GraphQL API</a> that does not involve managing the actual infrastructure. For more sophisticated use cases, Spacelift allows you to generate API keys that are subject to the same access controls as normal users are, allowing you to create single-purpose tokens for restricted use by your internal scripts.

Generic IaC platforms do not provide any mechanisms to detect if your infrastructure is undergoing drift. Drift is a condition that represents the difference between the desired and the actual state of the infrastructure managed by your tool of choice &#8211; <a href="https://www.terraform.io/" target="_blank" rel="nofollow noopener">Terraform</a>, <a href="https://www.pulumi.com/" target="_blank" rel="nofollow noopener">Pulumi</a>, <a href="https://aws.amazon.com/cloudformation/" target="_blank" rel="nofollow noopener">CloudFormation,</a><a href="https://docs.spacelift.io/vendors/kubernetes/" rel=""> Kubernetes</a>, or another. Drift can be caused by either or a combination of changes directly introduced by external actors &#8211; either humans or machines (scripts) or via the dependency of your resources on external data sources. In any case, drift is not good.
Spacelift has got you covered here. You can configure periodic <a href="https://docs.spacelift.io/concepts/stack/drift-detection" target="_blank" rel="noopener">drift detection </a>to notify you whenever drift happens, and take immediate action. You can even go a step further with optional automatic <a href="https://docs.spacelift.io/concepts/stack/drift-detection#to-reconcile-or-not-to-reconcile" target="_blank" rel="noopener">reconciliation</a>, ensuring your infrastructure always resembles your Terraform configuration.

General-purpose CI/CD platforms provide little to no insight into resource utilization from either a real-time or historical perspective. Which resources are over-or underutilized? 
Developers need to be able to intimately understand the material they’re working with. With regards to infra-as-code, the most important part of this story is understanding the managed resources in-depth. Both from the current perspective and through being able to put each resource in its historical context.
The resources view in Spacelift gives you greater visibility into each and every resource. With this deep insight into resources, DevOps are able to gain an understanding of the lifecycle of each resource managed by Spacelift and document it, regardless of the technology used — <a href="https://www.terraform.io/" target="_blank" rel="nofollow noopener">Terraform</a>, <a href="https://github.com/gruntwork-io/terragrunt" target="_blank" rel="nofollow noopener">Terragrunt</a>, <a href="https://spacelift.io/blog/what-is-pulumi" target="_blank" rel="noopener">Pulumi</a>, <a href="https://docs.spacelift.io/vendors/kubernetes/" target="_blank" rel="noopener">Kubernetes</a>, or <a href="https://aws.amazon.com/cloudformation/" target="_blank" rel="nofollow noopener">CloudFormation</a>.

Last but not least, Spacelift puts an emphasis on great user experience, offering a myriad of creature comforts. <a href="https://docs.spacelift.io/concepts/configuration/context" target="_blank" rel="noopener">Contexts</a> for example allow you to attach entire collections of configuration to individual stacks and modules. <a href="https://docs.spacelift.io/concepts/run/task" target="_blank" rel="noopener">Tasks</a> provide a powerful audited way of running one-off administrative commands on an initialized Terraform environment &#8211; subject to <a href="https://docs.spacelift.io/concepts/run/task" target="_blank" rel="noopener">their own policy constraints</a>. <a href="https://docs.spacelift.io/concepts/stack/#stack-locking" target="_blank" rel="noopener">Stack locking</a> allows a single individual to take exclusive control over a stack to ensure that nobody is able to modify its state while crucial changes are being made.

Spacelift is an innovative and sophisticated SaaS product for Infrastructure as Code which helps IaC DevOps develop and deploy new infrastructures or changes quickly and with confidence.
Spacelift offers a unique set of IaC management capabilities:
<ol>
<li style="font-weight: 400;" aria-level="1">an intuitive, <a href="https://docs.spacelift.io/concepts/policy/git-push-policy" target="_blank" rel="noopener">versatile</a> and <a href="https://docs.spacelift.io/concepts/run/#run-state-machine" target="_blank" rel="noopener">robust</a> workflow</li>
<li style="font-weight: 400;" aria-level="1">granular access controls on <a href="https://docs.spacelift.io/concepts/policy/login-policy" target="_blank" rel="noopener">account</a> and <a href="https://docs.spacelift.io/concepts/policy/stack-access-policy" target="_blank" rel="noopener">project</a> level that work well with an <a href="https://docs.spacelift.io/integrations/single-sign-on/" target="_blank" rel="noopener">identity provider of your choice</a> (SSO)</li>
<li style="font-weight: 400;" aria-level="1">an <a href="https://docs.spacelift.io/concepts/policy/terraform-plan-policy" target="_blank" rel="noopener">automated code review</a> and <a href="https://docs.spacelift.io/concepts/policy/task-run-policy" target="_blank" rel="noopener">threat detection</a> </li>
<li style="font-weight: 400;" aria-level="1">the ability to <a href="https://docs.spacelift.io/concepts/policy/trigger-policy" target="_blank" rel="noopener">declare complex workflows</a> between projects across multiple repositories</li>
<li style="font-weight: 400;" aria-level="1">a <a href="https://docs.spacelift.io/vendors/terraform/module-registry" target="_blank" rel="noopener">built-in private module registry</a> with a full CI system for modules</li>
<li style="font-weight: 400;" aria-level="1">effortless setup and customization with <a href="https://docs.spacelift.io/concepts/configuration/environment" target="_blank" rel="noopener">per-project environment management</a> and <a href="https://docs.spacelift.io/integrations/docker" target="_blank" rel="noopener">Docker integration</a></li>
<li style="font-weight: 400;" aria-level="1"><a href="https://docs.spacelift.io/vendors/terraform/terraform-provider" target="_blank" rel="noopener">programmatic configuration</a> using Terraform</li>
<li style="font-weight: 400;" aria-level="1"><a href="https://docs.spacelift.io/concepts/stack/drift-detection" target="_blank" rel="noopener">drift detection </a></li>
<li style="font-weight: 400;" aria-level="1"><a href="https://docs.spacelift.io/concepts/resources" target="_blank" rel="noopener">resource visualization</a></li>
</ol>
… and a multitude of additional perks like <a href="https://docs.spacelift.io/concepts/configuration/context" target="_blank" rel="noopener">contexts</a>, <a href="https://docs.spacelift.io/concepts/run/task" target="_blank" rel="noopener">tasks</a> or <a href="https://docs.spacelift.io/concepts/stack/#stack-locking" target="_blank" rel="noopener">stack locking</a>.

There are many ways to manage your Infrastructure as Code. Each way is different in terms of complexity and offers a different set of features. It is important to keep in mind that choosing one way or another should be based on business and technical requirements. Most often, there is no point in implementing an in-house solution as the cost and effort of building and maintaining it may exceed its potential benefits. It is much easier and more efficient to leverage platforms such as Spacelift to provide these features for you instead.

Spacelift is a flexible orchestration solution for IaC development. It delivers enhanced collaboration, automation and controls to simplify and accelerate the provisioning of cloud based infrastructures

Terraform vs. Ansible : Key Differences and Comparison of Tools

Infrastructure Drift Detection and How to Fix It With IaC Tools

Most often, there is no point in implementing an in-house solution as the cost and effort of building and maintaining it may exceed its potential benefits. It is much easier and more efficient to leverage ready-to-go platform to provide these features instead.

how_spacelift_can_improve_your_iac

How Spacelift Can Improve Your Infrastructure as Code 

Kamil Szczygiel

Learning Terraform can be easy. The HCL configuration language is simple enough to start with basic resource creation straight away. 
But—
Once the code that defines your infrastructure grows in complexity, maintainability, and dependency, an uphill battle can ensue. And that is why working out an efficient deployment workflow is crucial for further development.
In this article you will see five approaches to managing Terraform workflows at scale, what their benefits and downsides are, and what problems they address.

A quick and easy way to start deploying resources using the Infrastructure as Code pattern is to use Terraform locally from the same machine you’re developing the code on. The only requirement is to have access to the target provider and an installed Terraform binary.
This approach makes it much easier to leverage commands related to day-to-day operations (such as state import, move, remove) or to get outputs than if doing it within the implementations where you have no direct access to the underlying provider.
You can also use all of the features of Terraform, such as remote state and state locking, to work with your teammates all-at-once. If you collaborate using a version control system and do not have continuous integration in place, but want to keep your code at a decent level of quality, there are tools to help you.
One of these is <a href="https://github.com/antonbabenko/pre-commit-terraform" target="_blank" rel="nofollow noopener">pre-commit-terraform</a> that will run a set of selected tools to lint the code you’re creating before you even commit it. Even if you have continuous integration available, it’s a handy way to avoid wasting time waiting for results from pull request status checks.
What are the drawbacks of this approach? Each action is manual and must be performed directly by the developer, which leads to several issues. 
In a situation where multiple people are working on the same codebase, you could often encounter a scenario such as this one:
Person A applies their changes to the environment and follows up with a pull request. At the same time, Person B would like to deploy their changes but is blocked as the codebase is not up-to-date with Person A’s changes. Applying the changes in this state would cause damage to the resources created in the previous deployment. When working in larger teams, this will often result in a lot of wasted time just waiting and rebasing on a codebase to apply the changes.
If you happen to write unit tests for <a href="https://spacelift.io/blog/what-are-terraform-modules-and-how-do-they-work" target="_blank" rel="noopener">Terraform modules</a> (and you should be), you’re sure to know they need to be executed manually from your computer. Running them every time you change something in your configuration can be tedious and time-consuming. If you do not yet write tests for your modules, you’d be well advised to start looking at <a href="https://docs.spacelift.io/vendors/terraform/module-registry#tests" target="_blank" rel="noopener">Spacelift modules tests</a> or <a href="https://terratest.gruntwork.io/docs/getting-started/quick-start/" target="_blank" rel="nofollow noopener">Terratest</a>.
Privileged access to an underlying vendor is required, which can easily result in a compromised environment. It’s much harder to keep restricted access within this model, as Terraform must be allowed to create, change, and destroy resources. The same rule applies to a scenario where access to private (internal) resources is required, e.g., every developer has to set up a VPN connection to interact with them.
Moreover, every person working with the codebase needs access to the Terraform state, which creates a security concern due to how Terraform state works. Even if you’re pulling sensitive data from an external system such as Vault, it will be stored within the state file in plaintext once used in a resource. A threat actor could simply run `terraform state pull` to access all the secrets!
Keeping all these issues in mind, let’s take a look at a more automated approach.

Implementing homegrown automation means incorporating Terraform workflow into your continuous integration / continuous deployment process. A specific example would need to directly tie to a CI/CD tool you are using, so let’s try to keep the example as generic as possible.
As the applying actor is the CI/CD system, the hard requirement of privileged access for developers is gone. You can grant this type of access to the execution layer while developers keep read-only permissions. This is true for private (internal) resources, and if your code is being executed on an agent that resides within the target infrastructure with the proper permissions having been set. In a model where everything has to go through the <a href="https://spacelift.io/blog/terraform-in-ci-cd" target="_blank" rel="noopener">CI/CD pipeline</a>, visibility of changes is improved as the system logs produced during the operation execution are available in real-time. 
Linting, compliance checks, and automated unit tests can be moved to pull request status checks, and it’s up to you to configure these steps of the pipeline.
But—
If your CI/CD is executing jobs concurrently, you will end up with race conditions causing pull requests to fail non-deterministically. 
It is not difficult to imagine a situation where two operators open a pull request within several seconds of one another. The pipeline gets triggered immediately for both, and one pull request will be marked as successful, while the other will be marked as failed. This situation will definitely happen if you are using state locking (it is a best practice and you really should be using it).
The explanation is simple: the first pull request has locked the state and therefore the second one could not, so it failed. This issue can be resolved by configuring queued runs, where only one pipeline can run at a time. However, this is not so simple with some CI/CD products.
The biggest issue and concern with this approach is the effort you have to put in to build a complete pipeline. If you consider requirements such as:
<ul>
<li style="font-weight: 400;" aria-level="1">planning on pull requests</li>
<li style="font-weight: 400;" aria-level="1">linting</li>
<li style="font-weight: 400;" aria-level="1">unit tests</li>
<li style="font-weight: 400;" aria-level="1">compliance checks</li>
<li style="font-weight: 400;" aria-level="1">applying once merged</li>
<li style="font-weight: 400;" aria-level="1">periodical drift detection</li>
<li style="font-weight: 400;" aria-level="1">registry for all your versioned modules</li>
<li style="font-weight: 400;" aria-level="1">modules sharing across different parts of the organization</li>
<li style="font-weight: 400;" aria-level="1">shared variable contexts/reusable values</li>
</ul>
It might be tempting to implement solutions for those requirements by yourself. However, taking into account the time and effort required for doing it, you might want to take a look at alternatives, such as open-source tools.

One of the most popular open-source tools to use with Terraform is Atlantis, which describes itself as “Terraform pull request automation”. You can read more about it here: <a href="https://spacelift.io/blog/alternative-to-atlantis" target="_blank" rel="noopener">Alternative to Atlantis</a>.

Terraform Cloud is an application provided by the company behind Terraform itself—HashiCorp. It is available for free for up to 5 users. Two plans are available for more users: “Team &amp; Governance” and “Business”. As the product is created by Terraform authors themselves, any new feature that makes it to Terraform will be quickly available within Terraform Cloud as well. Neat!
See the comparison: <a href="https://spacelift.io/blog/atlantis-terraform" target="_blank" rel="noopener">Atlantis vs. Terraform Cloud</a>.
<h3>Advantages of Terraform Cloud</h3>
Advanced security compliance mechanisms available through Sentinel allow you to enforce organization standards even before the code actually ships and creates resources with the chosen provider context.
Another important feature is a module registry that acts as an artifact repository for all your modules. It can be compared to JFrog Artifactory, Sonatype Nexus, or other similar software. Having every module in a separate repository and versioning allows you to control code promotion in a granular fashion or quickly roll back to if it allows you to go back to the most recent version only, then we should use “the”, but if it lets you go back to some other earlier version then we should use “a” previous version. 
Having a centralized place to store all the pieces also enables you to quickly browse through available modules, their documentation, inputs, outputs, and used resources. It is a great single pane of glass in terms of module management. However, it can only be used within the same Terraform Cloud organization and cannot be shared. This might be troublesome for operations teams that base their separation on the organization level.
There’s also the remote execution backend, which is an exclusive feature for Terraform Cloud. It allows you to work with Terraform on your local computer as you would usually do, upload your local codebase, and run a plan against it. It is a very efficient way of quickly verifying if what you are working on is actually working.
<h3>Disadvantages of Terraform Cloud</h3>
Along with so many benefits, there are some drawbacks as well. Any linting or module unit tests need to be implemented inside your own continuous integration system. This requires an additional effort the development team has to make to sustain their code quality.
Another disadvantage is that you are not able to share common values across your workspaces. Imagine a situation where you share a common set of variables like cloud region or environment name. The only way to achieve something similar to shared context is to have a dedicated workspace that will output this information as an input for all remaining workspaces, although this would be more of a workaround than an actual solution.
Compliance as code is available via Sentinel, a framework created by HashiCorp. Having a built-in solution to develop policies is nice, but operators often already use <a href="https://spacelift.io/blog/what-is-open-policy-agent-and-how-it-works" target="_blank" rel="noopener">Open Policy Agent (OPA)</a> to define these within different areas of the infrastructure. This frequently ends up in a doubled effort as you need to create a similar policy in both frameworks.
The biggest shortcoming of Terraform Cloud is in my opinion the lack of periodical drift detection runs. Once something is applied and the codebase does not get updates, you will never be notified if anything has changed in comparison to the state within the repository. Scheduling a daily “plan” to verify if everything is up-to-date would be highly beneficial to keep the infrastructure as described programmatically.

And here we are. You can <a href="https://spacelift.io/terraform-cloud-alternative" target="_blank" rel="noopener">compare Spacelift directly to Terraform Cloud</a>. They share a lot of functionality with each other in terms of the actual deployment execution, but also in the area of compliance.
While Terraform Cloud uses Sentinel (the HashiCorp approach to implementation for compliance as code), Spacelift leverages Open Policy Agent. It is beneficial to have a similar way of working with policies for companies that already incorporate OPA in their workflow (e.g., for Kubernetes). As there is no need to learn another syntax, operators can focus their efforts on providing compliance, instead of learning yet another tool.
Spacelift also allows you to automate your workflow even further. By having a built-in continuous integration for modules, you can shift your linters or unit tests really quickly into one place dedicated to Terraform. It helps you reduce the effort required to implement integration workflow by letting you utilize a solution that you are already using.
Sometimes you need to work with a Terraform state directly to import something, for example. In scenarios where you are leveraging Terraform Cloud, it is often impossible to do this without accessing the provider yourself. In contrast, Spacelift gives you the ability to run literally any command within the context of a particular codebase via tasks. This way, you do not need to grant any additional permissions to import, move, or remove resources directly.
By utilizing contexts, you can simply share anything you like across multiple stacks—whether it is a set of environment variables or a file. This is something that becomes much more valuable once your codebase complexity increases.
As mentioned in the previous paragraph, drift detection is something that becomes much more important once your infrastructure grows. With Spacelift, it is possible to <a href="https://docs.spacelift.io/concepts/stack/drift-detection#" target="_blank" rel="noopener">schedule a periodic drift detection</a> on any stack. Going even further, you can enable automated remediation if any changes are found compared to what you have in your codebase.

There are many ways of working with Terraform. Each way is different in terms of complexity, and has a different set of features. It is important to keep in mind that choosing one way or another should be based on business and technical requirements. Most times, there is no point in implementing an in-house solution as the cost and effort of building and maintaining it may often exceed its potential benefits. It is much easier and quicker to leverage platforms such as <a href="https://spacelift.io" target="_blank" rel="noopener">Spacelift</a> to provide these features for you instead.

Spacelift helps manage Terraform state, build more complex workflows, supports policy as code, programmatic configuration, context sharing, drift detection, resource visualization and many more.

Provisioning AWS EKS Cluster with Terraform - Tutorial

How to Get Started with Terraform on GCP - Tutorial

This article goes through five approaches to managing Terraform workflows at scale: using Terraform locally, automating it in-house, using open source solution, using Terraform Cloud, and using Spacelift.

Terraform Data Sources – How They Are Utilised

What are Terraform data sources?

Example usage

Refreshing data sources

Manage Terraform Better and Faster

Written by

Jacob Martin