Terraform Best Practices — Limit resources in your project

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

2738

Abstract

of the infrastructure. This approach is referred to as ‘reducing the blast radius’, meaning that any issues are contained to a particular area.</p><p id="970b">Each section of infrastructure would also have its own state file, so any problems or corruption of the state file itself would be restricted to that area.</p><p id="161b">Problems with this approach include the duplication of config, and increased complexity of operations and management, as terraform will need to be run from each sub directory. Having multiple state files is something <a href="https://terragrunt.gruntwork.io/">Terragrunt </a>aims to make less painless, although it has benefits, think hard before bringing a wrapper into your projects as it brings another layer of overhead. I’ll hope to expand on using Terragrunt in another post.</p><p id="9c04">As well as achieving isolation by modifying the project or file structure, you could also achieve this using <a href="https://www.terraform.io/docs/language/state/workspaces.html">Terraform workspaces</a> to store your state files in multiple, separate, named workspaces, all within the same remote storage location if desired.</p><p id="44e5">It is also recommended that any changesets to code are minimal, for example deploying a new VNET in Azure may be one changeset. Deploying a VPN connecting to the VNET may be another changeset. Taking an incremental approach to commits limits the potential issues.</p><p id="e18a">Limiting the number of resources in a project also has be the benefits of being easier to read and understand the code.</p><p id="64b0">Lastly, when Terraform refreshes its state file, because the project has been split by component and environment, it has fewer resources to scan and therefore is quicker to work with. This is less of a problem for large infrastructures since 0.14 Terraform as improvements have been made (e.g. to show the diff, and scanning is quicker).</p><p id="85d7">Want more Terraform content? <a href="https://readmedium.com/terraform-related-articles-index-52fab8f11a0b">Check out my other articles on Terraform here</a>!</p><p id="3494">Cheers! 🍻</p><div id="fab7" class="link-block"> <a href="https://www.buymeacoffee.com/jackwesleyroper"> <div> <div> <h2>Jack Roper is Blogging on Azure, Azure DevOps, Terraform & Cloud tech!</h2> <div><h3>Hi! Hopefully, my blog helped you out and you enjoyed the content!Thanks for the support it is really appreciated! I…</h3></div> <div><p>www.buymeacoffee.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*C5FIPcfTmOnVd56A)

Options

"></div> </div> </div> </a> </div><p id="e6d6">Further reading:</p><div id="1300" class="link-block"> <a href="https://blog.gruntwork.io/how-to-manage-terraform-state-28f5697e68fa"> <div> <div> <h2>How to manage Terraform state</h2> <div><h3>A guide to file layout, isolation, and locking for Terraform projects</h3></div> <div><p>blog.gruntwork.io</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*EHeqGG4yA2SavHSji5H_QA.jpeg)"></div> </div> </div> </a> </div><div id="705d" class="link-block"> <a href="https://thecloud.christmas/2019/11"> <div> <div> <h2>Splitting the Terraform monolith</h2> <div><h3>At Digipost we are in the progress of building up our new infrastructure on Azure. We are already enthusiastic users of…</h3></div> <div><p>thecloud.christmas</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*2BxVqSu8Ym5iKJHM)"></div> </div> </div> </a> </div><div id="de82" class="link-block"> <a href="https://charity.wtf/2016/03/30/terraform-vpc-and-why-you-want-a-tfstate-file-per-env/"> <div> <div> <h2>Terraform, VPC, and why you want a tfstate file per env</h2> <div><h3>Hey kids! If you've been following along at home, you may have seen my earlier posts on getting started with terraform…</h3></div> <div><p>charity.wtf</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*sY5vaHm9E63JgjL6)"></div> </div> </div> </a> </div><div id="0913" class="link-block"> <a href="https://www.terraform.io/docs/language/state/workspaces.html"> <div> <div> <h2>State: Workspaces - Terraform by HashiCorp</h2> <div><h3>Each Terraform configuration has an associated backend that defines how operations are executed and where persistent…</h3></div> <div><p>www.terraform.io</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*ORU99Wqhr4Di2xrs)"></div> </div> </div> </a> </div></article></body>

Terraform Best Practices — Limit resources in your project

When starting out with Terraform it’s hard to know what is considered ‘best practice’ in a number of areas.

This post is the seventh in the series which focuses on points 7 and 8 in the list, ‘Fewer resources in a project are easier and faster to work with’, and ‘Limit resources in the project to reduce the blast radius’.

Reasons to limit the number of resources and how to reduce your ‘blast radius’

Separating parts of your Terraform project is recommended best practice, as any bugs, errors or problems will then be restricted to one area, making remediation easier.

It is recommended to separate code by environment, and also by component. For example you might want to separate your networking from your databases. In addition to this you would separate Production, Staging, Development environments.

Changes to code can be deployed independently, then checked and tested, before deploying new code to other areas of the infrastructure. This approach is referred to as ‘reducing the blast radius’, meaning that any issues are contained to a particular area.

Each section of infrastructure would also have its own state file, so any problems or corruption of the state file itself would be restricted to that area.

Problems with this approach include the duplication of config, and increased complexity of operations and management, as terraform will need to be run from each sub directory. Having multiple state files is something Terragrunt aims to make less painless, although it has benefits, think hard before bringing a wrapper into your projects as it brings another layer of overhead. I’ll hope to expand on using Terragrunt in another post.

As well as achieving isolation by modifying the project or file structure, you could also achieve this using Terraform workspaces to store your state files in multiple, separate, named workspaces, all within the same remote storage location if desired.

It is also recommended that any changesets to code are minimal, for example deploying a new VNET in Azure may be one changeset. Deploying a VPN connecting to the VNET may be another changeset. Taking an incremental approach to commits limits the potential issues.

Limiting the number of resources in a project also has be the benefits of being easier to read and understand the code.

Lastly, when Terraform refreshes its state file, because the project has been split by component and environment, it has fewer resources to scan and therefore is quicker to work with. This is less of a problem for large infrastructures since 0.14 Terraform as improvements have been made (e.g. to show the diff, and scanning is quicker).

Cheers! 🍻