State Management Flashcards
How does Terraform manages the state of the infrastructure?
By writing/recording everything inside a file named as “Terraform state” file.
What is the location of Terraform state file?
//terraform.tfstate
What is the format of Terraform state file?
JSON
How Terraform restores the changes of the infrastructure , if something is changed manually?
Since it is maintaining the state in local file, everytime we fire the “plan” command, it compares the state saved local file with the “actual remote state”.
Finally it finds the “delta” and restores to the previous state.
What are the main challenges with the state files?
- Shared Storage
- Locking mechanism to avoid race-condition
- Isolated environment specific state files
Does terraform saves secrets in state file in plain text?
yes, Terraform save state secrets like “user-name” or “password” in plain-text. Hence it should be encrypted at rest.
Does Terraform provides remote state storage?
yes, Terraform has a built-in support for remote state storage. It supports both: local state storage and remote state storage.
Why AWS S3 is a preferred way to save the state files?
- It is durable (very less chance to loose objects)
- It provides versioning
- It provides encryption at rest and at transit
How can we prevent a resource to get destroyed?
By using the attribute “prevent_destroy” in “lifecycle” parameter object.
Write the general syntax of creation of s3 bucket?
resource "aws_s3_bucket" "terraform_bucket" { bucket = "terraform_bucket" versioning { enabled = true } lifecycle { prevent_destroy = true } }
How to add versioning of s3 buckets if we are using AWS >=4.0.0.0?
After AWS 4.0.0, we need to add a new resource for enabling the versioning:
resource “aws_s3_bucket_versioning” “s3_version” {
bucket = “${aws_s3_bucket.my_bucket.id}”
versioning_configuration {
status = “enabled”
}
}
How can we apply server side encryption?
This can be applied by following configuration parameter:
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = “AES256”
}
}
Which resource should we use for locking the state files?
Dynamo DB with primary key as “LockID” (exact spelling and captilisation)
What are the important attributes we need for creation of DynamoDB table?
- name (as in name of the table)
- hash_key (the primary key)
- billing
- attribute - name and type
Write syntax for creation of DynamoDB table?
resource "aws_dynamodb_table" "terraform_locks" { name = "terraform_lock" billing = "PAY_PER_REQUEST" hash_key = "LockID" attribute { name = "LockID" type = "S" } }
How to make terraform to save state files in remote location and also use locking?
This can be done by “backend” object. In backend object.
Explain the syntax of backend object?
The backend object is for internal use of Terraform. Hence it must be used inside the terraform object.
terraform {
backend “s3” {
bucket = “name of bucket”
key = “global/s3/terraform.tfstate”
region = “ap-south-1”
dynamodb_table = "table_name" encrypt = "true" } }
is it necessary to create “s3 bucket” and “dynamodb_table” before remote state storage?
Yes, these two resources must be created before either by Terraform or by manual, otherwise it will give error.
How can we migrate “local state storage” to “remote state storage” if we create s3 and dynamodb table by terraform itself.
We can do this by re-running the command “terraform init”.
This command re-initialise the backend system and transfers the state file to s3 bucket
is terraform init an idempotent call?
Yes, it is an idempotent call, it will not re-apply things.
What will happen if we try to destroy the resources which contains the “s3 bucket” and “dynamodb” table?
Terraform will give error as we made “prevent_destroy” as true in S3 bucket.
What is the solution of keeping the “s3 bucket” and “dynamodb table” while destroying the other resources.
by running following command
terraform state rm [options] ADDRESS
What should be the ideal way to create the “S3” bucket and “dynamodb” table as backend?
It should be created manually and added inside the backend object.
what’s the challenge in managing all environment resources in a single state file?
If the state file gets corrupted or lost, we will loose all environments including production.