State Management Flashcards

1
Q

How does Terraform manages the state of the infrastructure?

A

By writing/recording everything inside a file named as “Terraform state” file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the location of Terraform state file?

A

//terraform.tfstate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the format of Terraform state file?

A

JSON

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How Terraform restores the changes of the infrastructure , if something is changed manually?

A

Since it is maintaining the state in local file, everytime we fire the “plan” command, it compares the state saved local file with the “actual remote state”.
Finally it finds the “delta” and restores to the previous state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the main challenges with the state files?

A
  1. Shared Storage
  2. Locking mechanism to avoid race-condition
  3. Isolated environment specific state files
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Does terraform saves secrets in state file in plain text?

A

yes, Terraform save state secrets like “user-name” or “password” in plain-text. Hence it should be encrypted at rest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Does Terraform provides remote state storage?

A

yes, Terraform has a built-in support for remote state storage. It supports both: local state storage and remote state storage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Why AWS S3 is a preferred way to save the state files?

A
  1. It is durable (very less chance to loose objects)
  2. It provides versioning
  3. It provides encryption at rest and at transit
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How can we prevent a resource to get destroyed?

A

By using the attribute “prevent_destroy” in “lifecycle” parameter object.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Write the general syntax of creation of s3 bucket?

A
resource "aws_s3_bucket" "terraform_bucket" {
  bucket = "terraform_bucket"
  versioning {
     enabled = true
  }
  lifecycle {
     prevent_destroy = true
  }
}
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How to add versioning of s3 buckets if we are using AWS >=4.0.0.0?

A

After AWS 4.0.0, we need to add a new resource for enabling the versioning:
resource “aws_s3_bucket_versioning” “s3_version” {
bucket = “${aws_s3_bucket.my_bucket.id}”
versioning_configuration {
status = “enabled”
}
}

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How can we apply server side encryption?

A

This can be applied by following configuration parameter:
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = “AES256”
}
}

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which resource should we use for locking the state files?

A

Dynamo DB with primary key as “LockID” (exact spelling and captilisation)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the important attributes we need for creation of DynamoDB table?

A
  1. name (as in name of the table)
  2. hash_key (the primary key)
  3. billing
  4. attribute - name and type
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Write syntax for creation of DynamoDB table?

A
resource "aws_dynamodb_table" "terraform_locks" {
  name = "terraform_lock"
  billing = "PAY_PER_REQUEST"
  hash_key = "LockID"
  attribute {
    name = "LockID"
    type = "S"
  }
}
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How to make terraform to save state files in remote location and also use locking?

A

This can be done by “backend” object. In backend object.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Explain the syntax of backend object?

A

The backend object is for internal use of Terraform. Hence it must be used inside the terraform object.
terraform {

backend “s3” {
bucket = “name of bucket”
key = “global/s3/terraform.tfstate”
region = “ap-south-1”

 dynamodb_table = "table_name"
 encrypt = "true"  } }
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

is it necessary to create “s3 bucket” and “dynamodb_table” before remote state storage?

A

Yes, these two resources must be created before either by Terraform or by manual, otherwise it will give error.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

How can we migrate “local state storage” to “remote state storage” if we create s3 and dynamodb table by terraform itself.

A

We can do this by re-running the command “terraform init”.

This command re-initialise the backend system and transfers the state file to s3 bucket

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

is terraform init an idempotent call?

A

Yes, it is an idempotent call, it will not re-apply things.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What will happen if we try to destroy the resources which contains the “s3 bucket” and “dynamodb” table?

A

Terraform will give error as we made “prevent_destroy” as true in S3 bucket.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the solution of keeping the “s3 bucket” and “dynamodb table” while destroying the other resources.

A

by running following command

terraform state rm [options] ADDRESS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What should be the ideal way to create the “S3” bucket and “dynamodb” table as backend?

A

It should be created manually and added inside the backend object.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

what’s the challenge in managing all environment resources in a single state file?

A

If the state file gets corrupted or lost, we will loose all environments including production.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is state file isolation?

A

In this state of each environment is managed separately and these environments are isolated from each other.

26
Q

What are different ways by which we can isolate state files or environments in Terraform?

A
  1. By using Workspaces

2. By using File layout

27
Q

What is a workspace in Terraform? What’s the name of the workspace created by Terraform?

A

The workspace is nothing but the “instances” of the Terraform “state” or simply “state file”, in same working directory.
The first workspace created by Terraform is named as “default” workspace.

28
Q

How to print the name of current workspace we are working in?

A

Using command:

Terraform workspace show

29
Q

How to create a new workspace?

A

Terraform workspace new dev

30
Q

What is done by the terraform, once we create a new workspace?

A
  1. It creates a new folder with name “env” in local/remote storage.
  2. It creates a new folder with name as of “workspace” name in the “env” folder
  3. It copies the same path as of “backend” path
  4. It copies the state file as it is without creating the “resources”.
31
Q

Does the new “env” contains the “same resources” as of default workspace?

A

No, the new environment doesn’t contains any infrastructure. It will create a parallel infra to test out the new code.

32
Q

How to switch to different workspaces?

A

terraform workspace select stage

33
Q

How to list the total number of workspaces available ?

A

terraform workspace list

34
Q

What’s the user case of “workspace”?

A

The main use case is of creation and testing of new infra without affecting the original infra.

35
Q

Does switching of the workspace, changes our source code?

A

No, the source code will remain same.
The only objective of the workspace is to test the “new changes in infra state” before merging same into actual infra-state.

36
Q

Does workspace helps in testing?

A

yes, it allows to create and test new parallel infra without affecting the original infra.

37
Q

Is there any other way of isolation of state files apart from workspaces?

A

yes, we can isolate different environments using “file layout” instead of workspaces.

38
Q

What is “file layout” isolation of terraform state?

A

File isolation simply means creation of multiple state files in different folders.

39
Q

What are the conditions of File layout isolation?

A
  1. Each environment must have it’s own folder and Terraform configuration files.
  2. Each environment must have it’s own backend system.
40
Q

How can define a “component” in terraform lingo?

A

A “component’ is nothing but the set of different resources which gets deployed together. e.g.

  1. VPC is a component which contains subnets, ACLs, routing rule etc.
  2. Service is a component which contains webservers and their dependent services.
  3. Database is a component which contains database related services.
41
Q

How environment and components works together to create the file layout isolation?

A
  1. A single project must be divided into multiple environment
  2. Each environment must be divided into different components.
  3. Each component must contain variable.tf, main.tf and output.tf
42
Q

Create the file-layout structure for file-layout-isolation.

A

project-name

  • dev
    • vpc
    • service
      • frontend-app
        • variable.tf
        • main.tf
        • output.tf
        • provider.tf
    • database
  • stage
    • vpc
    • service
    • database
  • prod
    • vpc
    • service
    • database
  • mgmt-devops
    • vpc
    • services
      • bastion-host
      • jenkins
        • global
    • iam
    • s3
43
Q

How can we refer a resource defined in one configuration file into another configuration file created in another folder?

A

By using “terraform_remote_state” datasource.

44
Q

What different types of information a data-source can fetch?

A
  1. Read only information from provider

2. Read only information from a different state file

45
Q

Should we save secrets inside the Terraform configuration files?

A

Never. we should never save SECRETS inside the Terraform configuration files, as it will visible in plain sigts.

46
Q

What are the different ways to pass secrets to the terraform configuration files?

A
  1. Use AWS (or providers) secret managed services and fetch data using the “data source”
  2. Create a variable in configuration file and pass it’s value from “environment” e.g.&raquo_space; export TF_VAR_
  3. a. Use commandline utility like “pass” and store secret inside it. Fetch data from “pass” and provide same to environment variable
47
Q

Can we read secrets from “Terraform state files”?

A

Yes, we can read it. Hence it must be encrypted at rest.

48
Q

What are the process to read data from “remote state file”?

A
  1. Export data which needs to be consumed using the “output variable”.
  2. Use the datasource - terraform_remote_state to read these output variable
  3. Consume the variable inside the configuration file
49
Q

Explain the general syntax of “terraform_remote_state” data source?

A
data "terraform_remote_state" "db" {
    backend = "s3"
     config = {
         bucket = "bucket_name"
         key = "path/terraform.tfstate"
         region = "us-east-1"
    }
}
50
Q

Does Terraform supports functions?

A

Yes, Terraform provides built-in functions which can be called during execution.
However, we cannot create our own function, we can only call them by passing a number of arguments.

51
Q

What’s the general syntax of built-in function?

A

function_name(…)

52
Q

How can we experiment/execute built-in functions outside the configuration file?

A

We can use “terraform console” for execution of built-in function.

53
Q

Explain the file() function?

A

The file function takes the “path of the file” as string argument and returns the content in “string” format.
e.g. file(“/home/file.txt”)

54
Q

How can we load “user-data-script” from an external file instead of writing everything inside the “configuration” file?

A

This can be done by using “file” function. We can call the file function inside the configuration file.

55
Q

Can we pass “dynamic” data to “user-data” script, if we use the “file-function”?

A

No, it is not possible. The file function only returns the content of the file as it is.

56
Q

What is the standard way to externalise a “user data” script?

A

The standard way is to use “template_file” data source.

57
Q

What is “template_file” data source?

A

“template_file” data source is a type of data source, which renders the file content by passing it “dynamic variables” in runtime.

58
Q

Provide the general syntax of “template_file” data source?

A
The general syntax is:
data "template_file" {
  template = file("path")
  vars = {
      server_port = "${var.server_port}"
  }
59
Q

How to consume the variables passed to the user-date script to the template file?

A

Just use the interpolation syntax just like anywhere else.

${server_port}

60
Q

How to consume the rendered string from the template_file data source.

A

It is done by calling the data source:

data.template_file.file.rendered