V
V
Vadim2019-11-07 14:27:47
Amazon Web Services
Vadim, 2019-11-07 14:27:47

How to reduce the risk of infrastructure loss when using Terraform?

Hello,
I got an opinion. that using Terraforma to automatically add or modify infrastructure in production can be risky, as it sometimes leads to the complete removal of already existing services?
Can someone share if this is the case and how to mitigate these risks?
thanks,
Vadim

Answer the question

In order to leave comments, you need to log in

2 answer(s)
E
Eugene, 2019-11-07
@Viji

You can lose everything with any action and any product.
Terraform just lets you do it.. nice and very handy if you have badly planned it.
Rule 1: use auto-apply only in those places where you don’t mind or where you are absolutely sure (and take risks)
Rule 2: validate the plan. At least with the eyes
In general, some people have a practice of making a plan in a file, validating it with some external logic, and upon successful validation, apply the plan from the file without recalculating it (it is done with each application) with auto-confirmation. I don’t like it, and terraform honestly warns that at the time of actual use the situation may differ and completely different elements will have to be changed.
Rule 3: spread elements across logical layers to reduce the affected area during a disastrous applay. For example, network settings are in one folder with your state, application launch is in another. And connect via remote state. The main thing is to observe the measure so that each, say, security group in aws is not created in separate layers.
Rule 4: Use modules if a logical resource group application is used more than once. Here, too, you should not produce modules for each resource and approach it wisely.
Rule 5: test changes! (Using the same modules for stage and sell). It is logical to assume that if you demolished the stage, then the prod will be demolished.
Rule 6: use vcs to work with terraform code (in order to rollback code to restore a killed stage for example)
Rule 7: use Prevent destroy lifecycle policies on resources to prevent them from being killed
Tomato 7.1: use ignore changes where
appropriate Rule 8: use the right tool for what you want to do. Terraform can do a lot of things, but it will not replace the configuration manager, although they slightly overlap in functions.
In principle, if I continue, I can get up to about 20 useful tips, but 90% of my rules, in fact - use the same rules for working with the terraform code as for working with any other code - you will remove 70% of the problems. The rest will be related to the peculiarity of the work of terraforms and the radius of curvature of the hands of the author of the terraform code.
PS I write on the go in the subway, spelling and punctuation are corrected by T9. Ask, suddenly notice some term that I was not going to write :D

I
Ivan Shumov, 2019-11-07
@inoise

We smoke what a terraform plan is, learn how to validate and approve it

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question