In this presentation, we will cover intermediate Terraform topics including alternative providers, collection types, loops and conditionals, and resource lifecycles. We will also focus on reusability with a discussion on modules, data sources, and remote state (including live demo examples). Finally, we start the initial look into a full DevOps process with a quick review of Workspaces and Terraform Cloud; and wrap everything up with some key takeaway learning resources in your Terraform learning adventure. NOTE: A recording this presentation can be found here: https://youtu.be/0CEF4eZ6HiQ

1. Infrastructure-as-Code (IaC)
USING TERRAFORM (INTERMEDIATE EDITION)
Adin Ermie
Cloud Solution Architect
(Azure Apps & Infra)
Microsoft

2. Agenda
Quick basics
•Commands,
resources, file
structure
01
Intermediate
•Commands
•Providers
•Lists, Maps, and
Loops
•Lifecycle
02
Reusability
•Modules
•Data sources
•Remote state
03
Branching
(into DevOps)
•Workspaces (CLI)
•Terraform Cloud
04
Resources
•General
•Certification
05

3. Microsoft’s investments in
Terraform
Microsoft Team HashiCorp Team
Terraform AzureRM Provider updates
◦ Latest release (July 2, 2020)
enhancements/bug fixes
releases/updates published in June alone!
Terraform Module Registry
◦ https://registry.terraform.io/browse/modules?provider=azurerm

4. Roadmap
https://github.com/terraform-providers/terraform-provider-azurerm

5. Terraform v0.13 highlights
 Support for , , and
 New syntax
 Custom
 command connects a CLI user to the Terraform
Cloud app
variable "image_id" {
type = string
description = "The id of the machine image (AMI) to use for the server."
validation {
condition = length(var.image_id) > 4 && substr(var.image_id, 0, 4) == "ami-"
error_message = "The image_id value must be a valid AMI id, starting with "ami-"."
}
}
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "2.0.0"
}
}
}

6. Quick basics
Terraform basics
 Commands / Workflows (ie. init, plan, apply, destroy)
 Resource creation (ie. resource types, configurations)
 File structure (ie. backends, providers, variables, outputs)
Init
Plan
Apply
Destroy
resource "azurerm_resource_group" "SharedServicesRG" {
name = "SharedServicesRG"
location = "Canada Central"
}
NameResource Type
Resource Configuration
terraform {
required_version = ">=0.12.0"
backend "azurerm" {
resource_group_name = "tstate"
storage_account_name = "tstate123"
container_name = "tstate"
key = "terraform.tfstate"
}
}
provider "azurerm" {
version = ">=2.0.0"
subscription_id = "<<REMOVED>>"
client_id = "<<REMOVED>>"
client_secret = "<<REMOVED>>"
tenant_id = "<<REMOVED>>"
}
resource "azurerm_resource_group" "example" {
name = var.resource_group_name
location = var.location
}
resource "azurerm_storage_account" "example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
tags = {
environment = "staging"
}
}
Infrastructure-as-Code (IaC)
using Terraform (Beginner)

7. INTERMEDIATE
CONCEPTS
BEYOND THE BASICS

8. Terraform commands
 Terraform fmt (-recursive)
 Used to rewrite Terraform configuration files to a canonical format and style
 Terraform graph
 Used to generate a visual representation of either a configuration or execution plan
 Terraform show
 Used to provide human-readable output from a state or plan file
 Terraform validate
 Runs checks that verify whether a configuration is syntactically valid and internally consistent
 Terraform taint
 Manually marks a Terraform-managed resource as tainted, forcing it to be destroyed and recreated on
the next apply

9. Alternative/non-default provider
 Optionally define multiple alternative ("aliased") configurations for a
single provider, to allow management of resources in different regions in
multi-region services
 A resource always has an implicit dependency on its associated provider,
to ensure that the provider is fully configured before any resource
actions are taken
 Arbitrary (ie. variable/parameter) expressions are not permitted for
provider because it must be resolved while Terraform is constructing the
dependency graph, before it is safe to evaluate expressions

10. Collections Types (Lists, Maps, and Sets)
 list (or tuple) is a sequence of values, like ["us-west-1a", "us-west-1c"]
 map (or object) is a group of values identified by named labels,
like {name = "Mabel", age = 52}
 set(...) is a collection of unique values that do not have any secondary
identifiers or ordering
 Note: When a list or tuple is converted to a set, duplicate values are
discarded, and the ordering of elements is lost

11. Loops and Conditionals
 Loops allow you to create many of the same resource at the same time
 The count meta-argument accepts a whole number and creates that many instances of the resource
 The for_each meta-argument accepts a map or a set of strings and creates an instance for each item in
that map or set
 The for expression iterates over each element, and then evaluates the expression, with X set to each
respective element
 A conditional expression uses the value of a bool expression to select one of two values
 Allows you to prevent a resource being created, updated or deleted given a certain condition

12. Lifecycle
 The lifecycle block and its contents are meta-arguments, available for all resource blocks regardless of
type.
 create_before_destroy (bool)
 The new replacement object is created first, and then the prior object is destroyed only once the
replacement is created
 prevent_destroy (bool)
 Cause Terraform to reject (with an error) any plan that would destroy the infrastructure object
associated with the resource, as long as the argument remains present in the configuration
 ignore_changes (list of attribute names)
 Share management responsibilities of a single object with a separate process
 Specifies resource attributes that Terraform should ignore when planning updates to the associated
remote object

13. REUSABILITY
DON’T REINVENT
(OR RE-CODE)
THE WHEEL

14. Modules
 A container for multiple resources that are used together
 Can call other modules, which lets you include the child
module's resources
 When sourced from local file paths do not support version,
since they're loaded from the same source repository
 All modules require a source argument, which can either be
the path to a local directory, or a remote module source
 After adding, removing, or modifying module blocks, you must
re-run terraform init to allow Terraform the opportunity to
adjust the installed modules
BONUS!
Terraform v0.13.0 beta
Modules will support…
count, for_each, and
depends_on

15. Data sources
 Allows a Terraform configuration to make use of information
defined outside of Terraform, or defined by another separate
Terraform configuration
 A data block requests that Terraform read from a given data
source (“azurerm_virtual_network") and export the result
under the given local name (“ProdVNET")
 Within the block body (between { and }) are query constraints
defined by the data source

16. Remote state
 Allows you to use the root-level outputs of one or more
Terraform configurations as input data for another
configuration
 Only the root-level outputs from the remote state are
accessible. Outputs from modules within the state cannot
be accessed.
 If you want a module output or a resource attribute to be
accessible via a remote state, you must thread the output
through to a root output.

17. Bonus! TFLint
A part of the GitHub Super Linter
 One linter to rule them all
 Used to validate against issues
 Focused on possible errors, , etc.
 Support for all providers
 Rules that warn against
 AWS = 700+ rules
 Azure = 279 rules (Experimental support)
 GCP = WIP

19. BRANCHING
INTO DEVOPS

20. Workspaces (CLI)
 Used to manage collections of infrastructure resources and organize them into meaningful
groups by keeping their configurations (ie. state data, variables) in separate directories
 Technically equivalent to renaming your state file
 Example:
 Code used for a production environment's infrastructure could be split into a networking
configuration, the main application's configuration, and a monitoring configuration
 After splitting the code, you would create "networking-prod", "app1-prod", "monitoring-
prod" workspaces, and assign separate teams to manage them
 The important thing about workspace internals is that workspaces are meant to be a shared
resource. They aren't a private, local-only notion.
Note: Terraform Cloud and Terraform CLI both have
features called "workspaces," but they're slightly
different. CLI workspaces are alternate state files in
the same working directory; they're a convenience
feature for using one configuration to manage
multiple similar groups of resources.

21. Terraform Cloud
 Manages easy access to shared state and secret data, access controls for approving changes to
infrastructure, a private registry for sharing Terraform modules, detailed policy controls for
governing the contents of Terraform configurations
 Terraform Cloud acts as a remote backend for your Terraform state. State storage is tied to
workspaces, which helps keep state associated with the configuration that created it.
 Performs Terraform runs to provision infrastructure, either on demand or in response to various
events
 Executes these runs on disposable virtual machines in its own cloud infrastructure
 Remote execution helps provide consistency and visibility for critical provisioning operations
app.terraform.io

22. RESOURCES
FOR LEARNIN’ STUFF

23. Resources
Adin’s personal curated list of Terraform resources
Advanced Tips & Tricks to Optimize your Terraform Code
Terraform Advanced
Terraform on Microsoft Azure: Terraform projects organization and modules
How to create reusable infrastructure with Terraform modules
Terraform tips & tricks: loops, if-statements, and gotchas
Terraform in Action
Don’t forget about these Visual Studio
Code (VS Code) extensions:
 Azure Terraform (by Microsoft)
 Terraform (by Mikael Olenfalk)
 Now owned by HashiCorp!
Demo example code: https://github.com/mspnp/hadrinf/tree/master/Templates/Terraform/Networking

24. More resources
Terraform Configurations in Terraform Cloud Workspaces
Terraform Modules hands-on lab
Azure Terraform QuickStart Templates
Misadventures with Terraform
Commodified IaC Using Terraform Cloud
Getting Started with Terraform on Azure: Functions, Expressions, and Loops
Introducing TerraGoat, a “vulnerable-by-design” Terraform training project

25. Certification resources
HashiCorp Terraform Certified Associate Preparation Guide (co-authored by Adin Ermie)
Study Guide - Terraform Associate Certification (HashiCorp official)
Exam Review - Terraform Associate Certification (HashiCorp official)
Sample Questions - Terraform Associate Certification (HashiCorp official)

26. This is me
Adin Ermie
Cloud Solution Architect – Azure Apps & Infra @ Microsoft
◦ Azure Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS)
◦ Cloud Management & Security
◦ Azure Monitor, Azure Security Center (ASC) / Azure Sentinel
◦ Cloud Governance
◦ Azure Policy, Blueprints, Management Groups, and Azure Cost Management (ACM)
◦ Business Continuity and Disaster Recovery (BCDR)
◦ Azure Site Recovery (ASR) / Azure Migrate, and Azure Backup
◦ Infrastructure-as-Code (IaC)
◦ Azure Resource Manager (ARM), and Terraform
5x MVP - Cloud and Datacenter Management (CDM)
1x HCA – HashiCorp Ambassador
Adin.Ermie@outlook.com
@AdinErmie
https://AdinErmie.com
linkedin.com/in/adinermie