In this article, we will introduce Terraform to those new to it, explaining its features and workflow before showing how it works and why it has become a key tool in modern DevOps. We will also discuss some key use cases that might apply to your environment and list the common challenges you will face when first getting up and running with Terraform to speed up your implementation. Let’s get acquainted!
Terraform is a key infrastructure-as-code (IaC) tool in the DevOps ecosystem. It is designed to manage and automate infrastructure provisioning through code.
Terraform’s declarative syntax lets you specify the desired state of your infrastructure while the tool determines the necessary steps to achieve it. It supports various cloud platforms and on-premises data centers through plugins called providers. These translate Terraform configurations into specific API calls for each platform.
Seamlessly integrating with CI/CD pipelines, Terraform automates infrastructure provisioning and changes, streamlining development workflows and ensuring repeatability across environments.
Terraform features
As well as the features mentioned above, Terraform also provides the following capabilities that help it fit perfectly into the DevOps pipelines:
Terraform feature | Description |
Multi-cloud provisioning | Terraform supports a wide range of cloud providers, including AWS, Azure, Google Cloud, and other services (like GitHub, and Datadog) through a flexible plugin system.
You can use Terraform to provision resources like servers, databases, firewalls, and more across different cloud platforms. Provisioners allow users to execute scripts or configuration management tools (like Ansible, Chef, or Puppet) to perform additional infrastructure setup steps. |
Remote state management | State files can be stored remotely (e.g., in AWS S3, HashiCorp Consul, Spacelift, or Terraform Cloud) to enable collaboration and maintain consistency across team members. |
Policy as code | Terraform integrates with tools like HashiCorp Sentinel and OPA to enforce security and compliance policies as code. This ensures infrastructure configurations adhere to organizational standards. Read more: How to Enforce Policy as Code in Terraform |
Reusability | Modules are reusable configurations that can encapsulate complex resource setups. They help organize and reuse infrastructure code across projects. Terraform provides a public module registry for sharing and discovering modules.
Terraform also allows you to create and share reusable infrastructure modules within your organization using a private module registry. This promotes code reuse and consistency across projects. You can write custom providers or modules, extending Terraform’s capabilities to meet specific needs. |
Drift detection | Terraform can continuously monitor your infrastructure and identify any changes that have occurred outside the IaC definitions to help maintain infrastructure consistency and security. |
Dependency management | Terraform builds a graph of all resources and their dependencies, ensuring that resources are created or destroyed in the correct order. |
Parallelism | By understanding resource dependencies, Terraform can optimize the provisioning process through parallel execution of independent resources. |
Environment management | Terraform workspaces allow users to manage multiple environments (like development, staging, and production) within the same configuration. Each workspace maintains its own state file. |
Terraform, at its core, is an engine that reads your configuration and interacts with various providers. Providers enable Terraform to interact with specific cloud platforms or services such as AWS, Azure, Google Cloud, Kubernetes, and many more, with each provider offering access to the resources available on that platform via an API.
You define your infrastructure using HashiCorp Configuration Language (HCL), which specifies its desired state. Essentially, you tell Terraform what you want, not how to achieve it.
Terraform workflow
One great feature of Terraform is its unified workflow. Infrastructure from multiple providers can be managed using a single configuration language and workflow. The core Terraform workflow consists of the steps described below:
- Write: Your desired infrastructure is defined in Terraform configuration files written in HCL. This also includes the provider setup (e.g. which platform you provision to and how to authenticate to it).
- Initialize:
terraform init
is run to initalize Terraform. At this stage, the necessary providers and plugins are downloaded depending on what you specified in your configuration. - Plan:
terraform plan
generates an execution plan that shows what actions will be taken to reach the desired state of the infrastructure. This helps with understanding and validating the changes before they are applied. Should the plan show unexpected or undesirable changes, you can go back to the write stage and modify your configuration files without affecting your infrastructure. - Apply: After reviewing the execution plan, users can run
terraform apply
to apply the changes to update the infrastructure. - Destroy:
terraform destroy
allows you to remove the infrastructure defined in your configuration files.
Terraform is a powerful and flexible tool for implementing infrastructure as code. The process below will get you started practically with Terraform deploying infrastructure to Microsoft Azure.
If you want to learn more, check out: Managing Infrastructure as Code (IaC) With Terraform
- Download and install Terraform from the official website, or see the installation tutorial.
- Inside a new directory, create a file named provider.tf to configure the Azure provider.
# provider.tf
provider "azurerm" {
features {}
}
Configure the Azure provider to interact with your Azure subscription. There are various ways to authenticate to Azure. You can refer to the official documentation for setup steps.
- Create another file named main.tf to define the Terraform configuration. This is where you define your resources using the Terraform docs as a reference.
The example Terraform code below shows how to define an Azure resource group, Virtual Network, and subnet resources with basic configuration.
resource "azurerm_resource_group" "main" {
name = "my-resource-group"
location = "uksouth"
}
resource "azurerm_virtual_network" "myvnet" {
name = "my-vnet"
location = "uksouth"
address_space = ["10.0.0.0/16"]
resource_group_name = azurerm_resource_group.main.name
}
resource "azurerm_subnet" "mysubnet" {
name = "my-subnet"
resource_group_name = azurerm_resource_group.main.name
virtual_network_name = azurerm_virtual_network.myvnet.name
address_prefixes = ["10.0.0.0/24"]
}
- Open your terminal and navigate to the project directory.
- Run
terraform init
to initialize Terraform and download the Azure provider. - Run
terraform plan
to preview the changes Terraform will make based on your configuration. Carefully review the plan to ensure it meets your expectations. - If the plan looks good, run
terraform apply
to create the virtual network in Azure.
Terraform is used in DevOps to automate the provisioning and updating of infrastructure as part of the application deployment process. It integrates with CI/CD tools like Azure DevOps, Jenkins, GitLab CI, and GitHub Actions, ensuring infrastructure changes are versioned and consistently applied alongside application code changes. These deployment pipelines can themselves be written in code (pipelines-as-code) using YAML format and stored in source control.
In short, Terraform’s importance in DevOps lies in its ability to automate, standardize, and version-control infrastructure management, leading to more efficient, reliable, and scalable operations.
Let’s now look at some specific use cases.
Use case examples for Terraform in DevOps
Terraform is primarily used for cloud infrastructure provisioning. For example, it can be used to deploy a web application on AWS or set up the entire infrastructure required for a web application, including VPCs, subnets, EC2 instances, RDS databases, security groups, and load balancers.
Terraform can be used to provision Kubernetes clusters and deploy containerized applications using Helm charts or other Kubernetes resources. Immutable infrastructure ensures that deployments are predictable and repeatable. Terraform can provision serverless resources like AWS Lambda, API Gateway, DynamoDB, and S3, enabling the deployment of serverless applications. Terraform can also configure network components such as VPCs, subnets, VPN gateways, and peering connections to enable secure communication between on-premises data centers and cloud environments.
Because Terraform can be used for multicloud deployments, you can use it to provision environments across AWS and Azure, for example. This is useful when setting up a disaster recovery environment. Terraform can automate the creation of backup environments, including databases, storage, and failover configurations, to ensure quick recovery in case of a disaster.
Terraform can implement all a resource’s available features in the cloud, (if the provisioned is updated in line with the cloud APIs. For instance, it can set up auto-scaling groups and load balancers in AWS that automatically scale the number of instances based on demand.
Terraform workspaces or modules can be used to manage different environments. Each environment can have its own configuration, state files, and resources — for example, managing multiple environments (development, staging, production) for a microservices application.
In addition to provisioning infrastructure, Terraform can be used to enforce security policies across the provisioned infrastructure deployments — for example, using Terraform Cloud’s Sentinel policies or Open Policy Agent (OPA) integrations. This ensures all infrastructure adheres to organizational policies, improving security and compliance.
Implementing Terraform in a DevOps setting brings several challenges. Here are some key ones:
- Learning curve: Terraform has its own configuration language (HCL), which requires some learning investment. However, it is considered fairly easy to pick up compared with fully-fledged programming languages. Here is a good place to start learning Terraform: Getting Started With Terraform Tutorial.
- Security concerns: Secure storage and management of sensitive data (passwords, API keys) within Terraform configurations require careful consideration.
- Potential for overcomplexity: For very simple deployments, Terraform might introduce unnecessary complexity compared with manual configuration.
Terraform is really powerful, but to achieve an end-to-end secure GitOps approach, you need to use a product that can run your Terraform workflows. Spacelift takes managing Terraform to the next level by giving you access to a powerful CI/CD workflow and unlocking features such as:
- Policies (based on Open Policy Agent) — You can control how many approvals you need for runs, the kind of resources you can create, and the kind of parameters these resources can have, and you can also control the behavior when a pull request is open or merged.
- Multi-IaC workflows — Combine Terraform with Kubernetes, Ansible, and other IaC tools such as OpenTofu, Pulumi, and CloudFormation, create dependencies among them, and share outputs
- Build self-service infrastructure — You can use Blueprints to build self-service infrastructure; simply complete a form to provision infrastructure based on Terraform and other supported tools.
- Integrations with any third-party tools — You can integrate with your favorite third-party tools and even build policies for them. For example, you can Integrate security tools in your workflows using Custom Inputs.
Spacelift enables you to create private workers inside your infrastructure, which helps you execute Spacelift-related workflows on your end. The documentation provides more information on configuring private workers.
Spacelift can also optionally manage the Terraform state for you, offering a backend synchronized with the rest of the platform to maximize convenience and security. You can also import your state during stack creation, which is very useful for engineers who are migrating their old configurations and states to Spacelift.
Behind the scenes, Spacelift uses Amazon S3 and stores all the data in Ireland. It’s super simple to have Spacelift manage the state for you, as this behavior is achieved by default without you needing to do anything. You can read more about how it actually works here.
At the same time, it’s protected against accidental or malicious access as Spacelift can map state access and changes to legitimate Spacelift runs, automatically blocking all unauthorized traffic.
For more information, refer to this blog post, which details Spacelift’s remote state capabilities. To learn more about Spacelift, create a free account today or book a demo with one of our engineers.
Terraform is an industry-standard, IaC tool for deploying resources across multiple cloud services and providers. Its configuration language and workflow are easy to understand, ensuring consistent and repeatable deployments and delivering the many other benefits listed above.
Note: New versions of Terraform are placed under the BUSL license, but everything created before version 1.5.x stays open-source. OpenTofu is an open-source version of Terraform that expands on Terraform’s existing concepts and offerings. It is a viable alternative to HashiCorp’s Terraform, being forked from Terraform version 1.5.6.
Automate Terraform Deployments with Spacelift
Automate your infrastructure provisioning, build more complex workflows based on Terraform using policy as code, programmatic configuration, context sharing, drift detection, resource visualization, and many more.