Remote State Management Flashcards
What are Terraform backends?
Terraform backends primarily determine where Terraform stores it’s state.
By default, terraform implicitly uses a backend called local to store state as a local file to disk.
What are the challenges with local backend?
Storing the state file in the local laptop will not allow collaboration (if a team is present)
What’s the solution for the state file when colloborating with a team?
- Terraform code is stored (committed) in Git Repository
- The state file is stored in a central backend (not local).
What are some popular central backends to store files allowing remote service related operations?
Amazon S3
Consul
Azurerm
Kubernetes
HTTP
ETCD
Ex: the terraform.tfstate will always reside in Amazon S3
Whats the important note regarding access control tied to storing central backend files in S3 buckets for example?
Access credentials are required to access the S3 buckets.
Some backends act like plain “remote disks” for state files, others support locking the state while operations are being performed, which helps prevent conflict and inconsistencies.
Whats the basic format for an S3 backend?
terraform {
backend “s3” {
bucket = “name”
key = “path.tfstate”
region = “region”
}
}
Where do you store the access key and secret key to authenticate to an S3 bucket?
You can use a AWS shared credential file OR you can use an AWS shared config file
You’ll do this using the AWS CLI command, typing aws configure, and store the credentials.
What command is ran to initialize the backend?
terraform init
How does terraform know if the state file is locked and in use?
Presence of a .terraform.tfstate.lock.info file.
Once the lock is released, the file will be removed.
Whats the reasoning for locking the state file?
Its important during an ongoing terraform apply operation that others can’t also do their own actions at the same time, it’ll corrupt the file.
Does state locking occur automatically?
State locking happens automatically on all operations that could write state, this won’t be visible.
If state locking fails, terraform will not continue.
What’s the force-unlock command used for?
This command is used to manually unlock the state if unlocking fails.
*If you unlock the state when someone is holding the lock it could cause multiple writers.
When should force unlock be used?
It should only be used to unlock your own lock in the situation where automatic unlocking has failed.
Does S3 support state locking functionality?
By default, S3 doesn’t support state locking functionality.
You need to incorporate DynamoDB tables to do so.
How do you integrate DynamoDB tables with S3 for state locking?
Adding dynamodb_table = “name” to the S3 block.
The partition key needs to have a name of lockID and type string.
Is it okay to modify the state file?
It is NOT recommended to modify the state file directly, however as your terraform usage becomes more advanced, there are some cases where you may need to modify the terraform state.
What is the terraform state command?
Its used for advanced state management.
The available sub-commands are:
1. list
2. mv
3. pull
4. push
5. rm
6. show
7. replace-provider
Whats the terraform state list sub-command for?
The terraform state list command is used to quickly list all resources managed by Terraform within a terraform state.
Use: terraform state list
Ex: if you have two resources
1. resource “aws_iam_user” “dev
2. resource “aws_security_group” “prod”
The results for terraform state list would be
aws_iam_user.dev
aws_security_group.prod
What is the terraform state show sub-command
The terraform state show command is used to show the attributes of a single resource in the state.
Use: terraform state show “resource”
Ex: terraform state show aws_security_group.prod
What is the terraform state pull sub-command
The terraform state pull command is used to pull the tf state file from a remote backend and output it to stdout.
What is the terraform state rm sub-command?
The terraform state rm command is used to remove items from the state file w/o destruction,
One reason: due to a resource maybe being modifying too many times and you don’t want to manage it via Terraform anymore
*Use this when you need to remove a resource from TF’s state mgmt w/o destroying it.
What is the terraform state mv sub-command?
The terraform state mv command is used to move an item in the state to a different address
Ex: you want to change resource “aws_iam_user” “prod”
to
resource “aws_iam_user” “dev”.
If you make this change in the TF file, it will attempt to destroy the prod user and create a new one for dev, which you dont want to do
What is the terraform state replace state-provider sub-command used for?
The terraform state replace state-provider command is used to replace the provider for resources in a Terraform state file.
Use case: instead of using AWS provider from registry.terraform.io/hashicorp/aws you want to use a custom provider, this command would come in
How was the terraform import functionality approached earlier?
In the older approach, terraform import would create the state file associated with the resources running in your environment
The tf files still has to be created from scratch
What’s the newer approach to terraform import?
In the newer approach, terraform import can automatically create the terraform config files for resources you want to import
This is possible from terraform 1.5 and above
Terraform import, what are typical challenges?
1.Resources in an org have been created manually for a number of years
A. Work now wants to start using terraform and manage these resources via terraform.
What is the command to generate a TF file when importing?
Terraform plan -generate-config-out=mysg.tf
