State Management

Question 1

How does Terraform manages the state of the infrastructure?

Answer 1

By writing/recording everything inside a file named as “Terraform state” file.

Question 2

What is the location of Terraform state file?

Answer 2

//terraform.tfstate

Question 3

What is the format of Terraform state file?

Answer 3

JSON

Question 4

How Terraform restores the changes of the infrastructure , if something is changed manually?

Answer 4

Since it is maintaining the state in local file, everytime we fire the “plan” command, it compares the state saved local file with the “actual remote state”.
Finally it finds the “delta” and restores to the previous state.

Question 5

What are the main challenges with the state files?

Answer 5

1. Shared Storage
2. Locking mechanism to avoid race-condition
3. Isolated environment specific state files

Question 6

Does terraform saves secrets in state file in plain text?

Answer 6

yes, Terraform save state secrets like “user-name” or “password” in plain-text. Hence it should be encrypted at rest.

Question 7

Does Terraform provides remote state storage?

Answer 7

yes, Terraform has a built-in support for remote state storage. It supports both: local state storage and remote state storage.

Question 8

Why AWS S3 is a preferred way to save the state files?

Answer 8

1. It is durable (very less chance to loose objects)
2. It provides versioning
3. It provides encryption at rest and at transit

Question 9

How can we prevent a resource to get destroyed?

Answer 9

By using the attribute “prevent_destroy” in “lifecycle” parameter object.

Question 10

Write the general syntax of creation of s3 bucket?

Answer 10

resource "aws_s3_bucket" "terraform_bucket" {
  bucket = "terraform_bucket"
  versioning {
     enabled = true
  }
  lifecycle {
     prevent_destroy = true
  }
}

Question 11

How to add versioning of s3 buckets if we are using AWS >=4.0.0.0?

Answer 11

After AWS 4.0.0, we need to add a new resource for enabling the versioning:
resource “aws_s3_bucket_versioning” “s3_version” {
bucket = “${aws_s3_bucket.my_bucket.id}”
versioning_configuration {
status = “enabled”
}
}

Question 12

How can we apply server side encryption?

Answer 12

This can be applied by following configuration parameter:
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = “AES256”
}
}

Question 13

Which resource should we use for locking the state files?

Answer 13

Dynamo DB with primary key as “LockID” (exact spelling and captilisation)

Question 14

What are the important attributes we need for creation of DynamoDB table?

Answer 14

1. name (as in name of the table)
2. hash_key (the primary key)
3. billing
4. attribute - name and type

Question 15

Write syntax for creation of DynamoDB table?

Answer 15

resource "aws_dynamodb_table" "terraform_locks" {
  name = "terraform_lock"
  billing = "PAY_PER_REQUEST"
  hash_key = "LockID"
  attribute {
    name = "LockID"
    type = "S"
  }
}

Question 16

How to make terraform to save state files in remote location and also use locking?

Answer 16

This can be done by “backend” object. In backend object.

Question 17

Explain the syntax of backend object?

Answer 17

The backend object is for internal use of Terraform. Hence it must be used inside the terraform object.
terraform {

backend “s3” {
bucket = “name of bucket”
key = “global/s3/terraform.tfstate”
region = “ap-south-1”

 dynamodb_table = "table_name"
 encrypt = "true"  } }

Question 18

is it necessary to create “s3 bucket” and “dynamodb_table” before remote state storage?

Answer 18

Yes, these two resources must be created before either by Terraform or by manual, otherwise it will give error.

Question 19

How can we migrate “local state storage” to “remote state storage” if we create s3 and dynamodb table by terraform itself.

Answer 19

We can do this by re-running the command “terraform init”.

This command re-initialise the backend system and transfers the state file to s3 bucket

Question 20

is terraform init an idempotent call?

Answer 20

Yes, it is an idempotent call, it will not re-apply things.

Question 21

What will happen if we try to destroy the resources which contains the “s3 bucket” and “dynamodb” table?

Answer 21

Terraform will give error as we made “prevent_destroy” as true in S3 bucket.

Question 22

What is the solution of keeping the “s3 bucket” and “dynamodb table” while destroying the other resources.

Answer 22

by running following command

terraform state rm [options] ADDRESS

Question 23

What should be the ideal way to create the “S3” bucket and “dynamodb” table as backend?

Answer 23

It should be created manually and added inside the backend object.

Question 24

what’s the challenge in managing all environment resources in a single state file?

Answer 24

If the state file gets corrupted or lost, we will loose all environments including production.

Question 25

What is state file isolation?

Answer 25

In this state of each environment is managed separately and these environments are isolated from each other.

Question 26

What are different ways by which we can isolate state files or environments in Terraform?

Answer 26

1. By using Workspaces

2. By using File layout

Question 27

What is a workspace in Terraform? What’s the name of the workspace created by Terraform?

Answer 27

The workspace is nothing but the “instances” of the Terraform “state” or simply “state file”, in same working directory.
The first workspace created by Terraform is named as “default” workspace.

Question 28

How to print the name of current workspace we are working in?

Answer 28

Using command:

Terraform workspace show

Question 29

How to create a new workspace?

Answer 29

Terraform workspace new dev

Question 30

What is done by the terraform, once we create a new workspace?

Answer 30

1. It creates a new folder with name “env” in local/remote storage.
2. It creates a new folder with name as of “workspace” name in the “env” folder
3. It copies the same path as of “backend” path
4. It copies the state file as it is without creating the “resources”.

Question 31

Does the new “env” contains the “same resources” as of default workspace?

Answer 31

No, the new environment doesn’t contains any infrastructure. It will create a parallel infra to test out the new code.

Question 32

How to switch to different workspaces?

Answer 32

terraform workspace select stage

Question 33

How to list the total number of workspaces available ?

Answer 33

terraform workspace list

Question 34

What’s the user case of “workspace”?

Answer 34

The main use case is of creation and testing of new infra without affecting the original infra.

Question 35

Does switching of the workspace, changes our source code?

Answer 35

No, the source code will remain same.
The only objective of the workspace is to test the “new changes in infra state” before merging same into actual infra-state.

Question 36

Does workspace helps in testing?

Answer 36

yes, it allows to create and test new parallel infra without affecting the original infra.

Question 37

Is there any other way of isolation of state files apart from workspaces?

Answer 37

yes, we can isolate different environments using “file layout” instead of workspaces.

Question 38

What is “file layout” isolation of terraform state?

Answer 38

File isolation simply means creation of multiple state files in different folders.

Question 39

What are the conditions of File layout isolation?

Answer 39

1. Each environment must have it’s own folder and Terraform configuration files.
2. Each environment must have it’s own backend system.

Question 40

How can define a “component” in terraform lingo?

Answer 40

A “component’ is nothing but the set of different resources which gets deployed together. e.g.

1. VPC is a component which contains subnets, ACLs, routing rule etc.
2. Service is a component which contains webservers and their dependent services.
3. Database is a component which contains database related services.

Question 41

How environment and components works together to create the file layout isolation?

Answer 41

1. A single project must be divided into multiple environment
2. Each environment must be divided into different components.
3. Each component must contain variable.tf, main.tf and output.tf

Question 42

Create the file-layout structure for file-layout-isolation.

Answer 42

project-name

• dev
  
  • vpc
  • service
    
    • frontend-app
      
      • variable.tf
      • main.tf
      • output.tf
      • provider.tf
  • database
• stage
  
  • vpc
  • service
  • database
• prod
  
  • vpc
  • service
  • database
• mgmt-devops
  
  • vpc
  • services
    
    • bastion-host
    • jenkins
      
      • global
  • iam
  • s3

Question 43

How can we refer a resource defined in one configuration file into another configuration file created in another folder?

Answer 43

By using “terraform_remote_state” datasource.

Question 44

What different types of information a data-source can fetch?

Answer 44

1. Read only information from provider

2. Read only information from a different state file

Question 45

Should we save secrets inside the Terraform configuration files?

Answer 45

Never. we should never save SECRETS inside the Terraform configuration files, as it will visible in plain sigts.

Question 46

What are the different ways to pass secrets to the terraform configuration files?

Answer 46

1. Use AWS (or providers) secret managed services and fetch data using the “data source”
2. Create a variable in configuration file and pass it’s value from “environment” e.g.&raquo_space; export TF_VAR_
3. a. Use commandline utility like “pass” and store secret inside it. Fetch data from “pass” and provide same to environment variable

Question 47

Can we read secrets from “Terraform state files”?

Answer 47

Yes, we can read it. Hence it must be encrypted at rest.

Question 48

What are the process to read data from “remote state file”?

Answer 48

1. Export data which needs to be consumed using the “output variable”.
2. Use the datasource - terraform_remote_state to read these output variable
3. Consume the variable inside the configuration file

Question 49

Explain the general syntax of “terraform_remote_state” data source?

Answer 49

data "terraform_remote_state" "db" {
    backend = "s3"
     config = {
         bucket = "bucket_name"
         key = "path/terraform.tfstate"
         region = "us-east-1"
    }
}

Question 50

Does Terraform supports functions?

Answer 50

Yes, Terraform provides built-in functions which can be called during execution.
However, we cannot create our own function, we can only call them by passing a number of arguments.

Question 51

What’s the general syntax of built-in function?

Answer 51

function_name(…)

Question 52

How can we experiment/execute built-in functions outside the configuration file?

Answer 52

We can use “terraform console” for execution of built-in function.

Question 53

Explain the file() function?

Answer 53

The file function takes the “path of the file” as string argument and returns the content in “string” format.
e.g. file(“/home/file.txt”)

Question 54

How can we load “user-data-script” from an external file instead of writing everything inside the “configuration” file?

Answer 54

This can be done by using “file” function. We can call the file function inside the configuration file.

Question 55

Can we pass “dynamic” data to “user-data” script, if we use the “file-function”?

Answer 55

No, it is not possible. The file function only returns the content of the file as it is.

Question 56

What is the standard way to externalise a “user data” script?

Answer 56

The standard way is to use “template_file” data source.

Question 57

What is “template_file” data source?

Answer 57

“template_file” data source is a type of data source, which renders the file content by passing it “dynamic variables” in runtime.

Question 58

Provide the general syntax of “template_file” data source?

Answer 58

The general syntax is:
data "template_file" {
  template = file("path")
  vars = {
      server_port = "${var.server_port}"
  }

Question 59

How to consume the variables passed to the user-date script to the template file?

Answer 59

Just use the interpolation syntax just like anywhere else.

${server_port}

Question 60

How to consume the rendered string from the template_file data source.

Answer 60

It is done by calling the data source:

data.template_file.file.rendered