Infrastructure as Code Terraform Configuration management
10/27/2022
In this article, we will look into Terraform State management. First, we'll define Terraform state and why it's necessary, then dive into some best practices for storing, structuring, and isolating state files. Then, we'll look at how to utilize a data source to reference the remote state, and finally, how to use the terraform state command to change the contents of the state file.
Terraform keeps records of the resources it creates in a state file. Terraform may then determine which resources are under its control and when to update and delete them. The terraform state file is named terraform.tfstate by default and is stored in the same directory as Terraform is launched. It is formed following the execution of terraform apply. The actual content of this file is a JSON-formatted mapping between the configuration's resources and those that exist in your infrastructure. When Terraform is executed, it may utilize this mapping to compare infrastructure to code and make any required improvements.
By default, state files are stored in the local directory where Terraform is executed. This is OK if you are using Terraform for testing or a personal project (as long as your state file is safe and backed up!). This becomes a problem when working on Terraform projects in a team since numerous people will need to access the state file. In addition, when utilizing automation and CI/CD pipelines to execute Terraform, the state file must be available, and permission granted to the service principal executing the pipeline to access the storage account container containing the state file. As a result, shared storage is an excellent choice for storing the state file. Permissions can be issued on an as-needed basis. Amazon S3 buckets are a good choice. Terraform also supports storing state in GitLab, HashiCorp Consul, Terraform Cloud, Google Cloud Storage, Azure Blob Storage, Alibaba Cloud OSS, and more. For a production environment, your state files should be stored remotely, not on your local system! The remote state file's location can then be accessed using a backend block in the terraform block (which is usually in the main.tf file).
To minimize the "blast radius," state files should be isolated. Projects are typically organized in a single folder and use a single state file for all resources. This instantly creates risk, as a configuration error might modify the state file and have unexpected effects on all of your resources.
A better approach would be to utilize many state files for different parts of your infrastructure. Because resources are logically separated from one another and have their own state file in the backend, changes to one resource do not affect the other. It's also recommended to have different state files for different environments.
terraform_remote_state is a data source that may be used to directly retrieve information from the remote state file. This is useful for referencing the outcomes of settings stored in separate state files. When you define an output block in your configuration, the contents are included in the state file. This information can then be used elsewhere in your project.
If your backend supports it, Terraform can lock your state for any actions that could write state. This keeps others from getting access to the state at the same time, so it helps to avoid state corruption.
State locking occurs automatically on all activities that have the potential to write state. There will be no indication that this is happening. Terraform will not proceed if state locking fails. The -lock option can be used to deactivate state locking for most tasks, although it is not advised.
If the lock acquisition takes longer than intended, Terraform will display a status message. Even if Terraform does not produce a notification, state locking is still taking place if your backend supports it.
This is recommended to set up locking your state with DynamoDB.
It may be needed to manually interact with the state file at times, either to check its contents, remove objects that were imported wrongly or no longer exist in the real infrastructure, or import items that currently exist to bring them under Terraform management.
To perform advanced state management, utilize the terraform state command. Prior to making changes, all state management commands that modify the state make a timestamped backup of the state.
Useful terraform state and related commands:
The terraform import command may be used to import existing things into the state file that have been established by other techniques in the infrastructure to put them under Terraform management. Each resource on the Terraform documentation pages contains an import section that explains how to use the command for that resource.
Understanding Terraform state management and best practices are essential for being proficient with Terraform. As a general rule, state files should be saved remotely and isolated and arranged such that different state files exist for logical groups of resources and environments in order to decrease the "blast radius" if any mistakes occur.
To refer to outputs from state files, utilize the terraform_remote_state data source. Finally, the terraform state and terraform import commands can be used to modify the state file's contents.