Questions related to Terraform code structure are by far the most frequent in the community. Everyone thought about the best code structure for the project at some point also.
This is one of the questions where lots of solutions exist and it is very hard to give universal advice, so let's start with understanding what are we dealing with.
- What is the complexity of your project?
- Number of related resources
- Number of Terraform providers (see note below about "logical providers")
- How often does your infrastructure change?
- From once a month/week/day
- To continuously (every time when there is a new commit)
- Code change initiators? Do you let the CI server update the repository when a new artifact is built?
- Only developers can push to the infrastructure repository
- Everyone can propose a change to anything by opening a PR (including automated tasks running on the CI server)
- Which deployment platform or deployment service do you use?
- AWS CodeDeploy, Kubernetes, or OpenShift require a slightly different approach
- How environments are grouped?
- By environment, region, project
Putting all code in
main.tfis a good idea when you are getting started or writing an example code. In all other cases you will be better having several files split logically like this:
main.tf- call modules, locals, and data sources to create all resources
variables.tf- contains declarations of variables used in
outputs.tf- contains outputs from the resources created in
versions.tf- contains version requirements for Terraform and providers
- It is easier and faster to work with a smaller number of resources
terraform applyboth make cloud API calls to verify the status of resources
- If you have your entire infrastructure in a single composition this can take some time
- A blast radius (in case of security breach) is smaller with fewer resources
- Insulating unrelated resources from each other by placing them in separate compositions reduces the risk if something goes wrong
- Start your project using remote state because:
- Your laptop is no place for your infrastructure source of truth
- Managing a
tfstatefile in git is a nightmare
- Later when infrastructure layers start to grow in multiple directions (number of dependencies or resources) it will be easier to keep things under control
- Practice a consistent structure and naming convention:
- Like procedural code, Terraform code should be written for people to read first, consistency will help when changes happen six months from now
- It is possible to move resources in Terraform state file but it may be harder to do if you have inconsistent structure and naming
- Keep resource modules as plain as possible
- Don't hardcode values that can be passed as variables or discovered using data sources
- Use data sources and
terraform_remote_statespecifically as a glue between infrastructure modules within the composition
In this book, example projects are grouped by complexity - from small to very-large infrastructures. This separation is not strict, so check other structures also.
Having a small infrastructure means that there is a small number of dependencies and few resources. As the project grows the need to chain the execution of Terraform configurations, connecting different infrastructure modules, and passing values within a composition becomes obvious.
There are at least 5 distinct groups of orchestration solutions that developers use:
- 1.Terraform only. Very straightforward, developers have to know only Terraform to get the job done.
- 2.Terragrunt. Pure orchestration tool which can be used to orchestrate the entire infrastructure as well as handle dependencies. Terragrunt operates with infrastructure modules and compositions natively, so it reduces duplication of code.
- 3.In-house scripts. Often this happens as a starting point towards orchestration and before discovering Terragrunt.
- 4.Ansible or similar general purpose automation tool. Usually used when Terraform is adopted after Ansible, or when Ansible UI is actively used.
With that in mind, this book reviews the first two of these project structures, Terraform only and Terragrunt.