Terraform on Adurhttps://adurrr.github.io/en/tags/terraform/Recent content in Terraform on AdurHugo -- gohugo.ioenMon, 20 Nov 2023 00:00:00 +0000Building an IaC repository for the homelabhttps://adurrr.github.io/en/p/building-an-iac-repository-for-the-homelab/Mon, 20 Nov 2023 00:00:00 +0000https://adurrr.github.io/en/p/building-an-iac-repository-for-the-homelab/<h2 id="what-triggered-this">What triggered this </h2><p>A couple of months ago I spent time hardening the K3s cluster. I went through an entire weekend changing configurations, tuning kernel parameters, swapping Flannel for Cilium, writing network policies. By the end the cluster was in much better shape.</p> <p>But I had done all of it by hand.</p> <p>If I need to recreate that node from scratch tomorrow, how long does it take? Probably two or three days digging through my own notes scattered across text files, terminal history, and chat messages. And I would still miss things. That is not sustainable.</p> <p>So I decided to build a proper infrastructure repository. Not a demo, not a proof of concept — the repository where the definition of everything I run at home lives, sanitized enough to publish.</p> <h2 id="what-the-homelab-looks-like">What the homelab looks like </h2><p>Before talking about the repository structure, it helps to explain what needs to be managed. The setup is:</p> <ul> <li>A main server running Proxmox where several VMs live</li> <li>Two additional physical nodes forming the K3s cluster</li> <li>A router running OpenWrt</li> <li>A NAS running TrueNAS</li> </ul> <p>It is not a huge environment, but it has enough variety that managing everything by hand is a real problem. Especially because Proxmox, the VMs, the cluster, and the NAS have configurations that interact with each other: IPs, internal DNS, certificates, users.</p> <h2 id="repository-structure">Repository structure </h2><p>After a few experiments, this is the layout that works for me:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">homelab</span><span class="o">-</span><span class="n">infra</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">terraform</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">modules</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">proxmox</span><span class="o">-</span><span class="n">vm</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">dns</span><span class="o">-</span><span class="n">record</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">│</span> <span class="err">└──</span> <span class="n">network</span><span class="o">-</span><span class="n">vlan</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">└──</span> <span class="n">environments</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">main</span><span class="o">.</span><span class="n">tf</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">variables</span><span class="o">.</span><span class="n">tf</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">└──</span> <span class="n">terraform</span><span class="o">.</span><span class="n">tfvars</span><span class="o">.</span><span class="n">example</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">ansible</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">inventory</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">hosts</span><span class="o">.</span><span class="n">yml</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">│</span> <span class="err">└──</span> <span class="n">group_vars</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">playbooks</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">bootstrap</span><span class="o">.</span><span class="n">yml</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">k3s</span><span class="o">-</span><span class="n">server</span><span class="o">.</span><span class="n">yml</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">k3s</span><span class="o">-</span><span class="n">agent</span><span class="o">.</span><span class="n">yml</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">│</span> <span class="err">└──</span> <span class="n">hardening</span><span class="o">.</span><span class="n">yml</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">└──</span> <span class="n">roles</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">common</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">cis</span><span class="o">-</span><span class="n">level1</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">└──</span> <span class="n">k3s</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">kubernetes</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">base</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">apps</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">monitoring</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">│</span> <span class="err">├──</span> <span class="n">storage</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">│</span> <span class="err">└──</span> <span class="n">networking</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">└──</span> <span class="n">policies</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">gatekeeper</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">└──</span> <span class="n">seccomp</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="o">.</span><span class="n">gitlab</span><span class="o">-</span><span class="n">ci</span><span class="o">.</span><span class="n">yml</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="o">.</span><span class="n">sops</span><span class="o">.</span><span class="n">yaml</span> </span></span><span class="line"><span class="cl"><span class="err">└──</span> <span class="n">README</span><span class="o">.</span><span class="n">md</span> </span></span></code></pre></td></tr></table> </div> </div><p>Three clearly separated layers: provisioning (Terraform), node configuration (Ansible), and Kubernetes workloads. Security policies live inside <code>kubernetes/policies/</code> because they are Kubernetes resources, but I treat them as a conceptually distinct layer.</p> <h2 id="terraform-provisioning-with-proxmox">Terraform: provisioning with Proxmox </h2><p>The Proxmox provider for Terraform is the Telmate one (<code>telmate/proxmox</code>). It is not official, but it is the most widely used and works reasonably well.</p> <p>The <code>proxmox-vm</code> module wraps VM creation with the parameters I use regularly:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="c1"># terraform/modules/proxmox-vm/main.tf </span></span></span><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;proxmox_vm_qemu&#34; &#34;vm&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> name</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">name</span> </span></span><span class="line"><span class="cl"><span class="n"> target_node</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">target_node</span> </span></span><span class="line"><span class="cl"><span class="n"> clone</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">template</span> </span></span><span class="line"><span class="cl"><span class="n"> full_clone</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> cores</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">cores</span> </span></span><span class="line"><span class="cl"><span class="n"> memory</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">memory</span> </span></span><span class="line"><span class="cl"><span class="n"> sockets</span> <span class="o">=</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">disk</span> { </span></span><span class="line"><span class="cl"><span class="n"> size</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">disk_size</span> </span></span><span class="line"><span class="cl"><span class="n"> type</span> <span class="o">=</span> <span class="s2">&#34;virtio&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> storage</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">storage_pool</span> </span></span><span class="line"><span class="cl"><span class="n"> discard</span> <span class="o">=</span> <span class="s2">&#34;on&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">network</span> { </span></span><span class="line"><span class="cl"><span class="n"> model</span> <span class="o">=</span> <span class="s2">&#34;virtio&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> bridge</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">network_bridge</span> </span></span><span class="line"><span class="cl"><span class="n"> tag</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">vlan_tag</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> ipconfig0</span> <span class="o">=</span><span class="n"> &#34;ip</span><span class="o">=</span><span class="n">${var.ip_address}/24,gw</span><span class="o">=</span><span class="si">${</span><span class="err">var</span><span class="p">.</span><span class="err">gateway</span><span class="si">}</span><span class="err">&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> nameserver</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">nameserver</span> </span></span><span class="line"><span class="cl"><span class="n"> searchdomain</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">searchdomain</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> ciuser</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">ssh_user</span> </span></span><span class="line"><span class="cl"><span class="n"> sshkeys</span> <span class="o">=</span> <span class="k">var</span><span class="p">.</span><span class="k">ssh_public_key</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">lifecycle</span> { </span></span><span class="line"><span class="cl"><span class="n"> ignore_changes</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="k">network</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span></code></pre></td></tr></table> </div> </div><p>Sensitive variables — the Proxmox API token, SSH keys — are not in the repository in plaintext. I use SOPS to encrypt the <code>terraform.tfvars</code> file with age:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># .sops.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">creation_rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">path_regex</span><span class="p">:</span><span class="w"> </span><span class="l">.*\.tfvars$</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">age</span><span class="p">:</span><span class="w"> </span><span class="l">age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">path_regex</span><span class="p">:</span><span class="w"> </span><span class="l">ansible/inventory/group_vars/.*\.yml$</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">age</span><span class="p">:</span><span class="w"> </span><span class="l">age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The encrypted file (<code>terraform.tfvars</code>) is committed to Git. Decrypting it requires the age private key, which lives on the CI server and my local machine — never in the repository.</p> <h2 id="ansible-node-configuration">Ansible: node configuration </h2><p>Once Terraform provisions the VMs, Ansible configures them. The <code>bootstrap.yml</code> playbook does the minimum needed to get a freshly created node into working shape:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># ansible/playbooks/bootstrap.yml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Bootstrap new nodes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hosts</span><span class="p">:</span><span class="w"> </span><span class="l">all</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">become</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">roles</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">common</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">cis-level1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Configure K3s server nodes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hosts</span><span class="p">:</span><span class="w"> </span><span class="l">k3s_servers</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">become</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">roles</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">k3s</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The <code>common</code> role installs base packages, configures NTP, hardens SSH, sets sysctl parameters, and creates system users. The <code>cis-level1</code> role applies CIS Benchmark Level 1 recommendations for Debian.</p> <p>I did not write the CIS role from scratch. I started from the community role <code>dev-sec/ansible-collection-hardening</code> and adapted it. There are quite a few tasks the default role applies that do not fit a homelab — things designed for production servers with strict audit requirements. I went through each task, understood what it did, and decided if it applied to my case.</p> <p>Some things I disabled:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># ansible/roles/cis-level1/defaults/main.yml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">os_auth_pam_pwquality_enable</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="c"># No local users with passwords</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">os_security_users_allow</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;vagrant&#34;</span><span class="p">]</span><span class="w"> </span><span class="c"># Dev environment only</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">os_filesystem_whitelist</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">vfat </span><span class="w"> </span><span class="c"># Required for UEFI boot</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>And some things I added specifically for K3s:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Kernel parameters required by K3s with protect-kernel-defaults</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kernel_parameters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- {<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;kernel.panic&#34;</span><span class="nt">, value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10&#34;</span><span class="w"> </span>}<span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- {<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;kernel.panic_on_oops&#34;</span><span class="nt">, value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1&#34;</span><span class="w"> </span>}<span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- {<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;vm.overcommit_memory&#34;</span><span class="nt">, value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1&#34;</span><span class="w"> </span>}<span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- {<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;vm.panic_on_oom&#34;</span><span class="nt">, value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0&#34;</span><span class="w"> </span>}<span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- {<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;fs.inotify.max_user_watches&#34;</span><span class="nt">, value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;524288&#34;</span><span class="w"> </span>}<span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- {<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;fs.inotify.max_user_instances&#34;</span><span class="nt">, value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;512&#34;</span><span class="w"> </span>}<span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="kubernetes-manifests-with-kustomize">Kubernetes: manifests with Kustomize </h2><p>For Kubernetes manifests I use Kustomize over Helm where possible. Helm is more powerful for complex things, but for my own applications Kustomize is sufficient and produces readable YAML.</p> <p>The basic Kustomize structure:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">kubernetes/apps/monitoring/ </span></span><span class="line"><span class="cl">├── base/ </span></span><span class="line"><span class="cl">│ ├── kustomization.yaml </span></span><span class="line"><span class="cl">│ ├── namespace.yaml </span></span><span class="line"><span class="cl">│ ├── prometheus-deployment.yaml </span></span><span class="line"><span class="cl">│ └── grafana-deployment.yaml </span></span><span class="line"><span class="cl">└── overlays/ </span></span><span class="line"><span class="cl"> └── homelab/ </span></span><span class="line"><span class="cl"> ├── kustomization.yaml </span></span><span class="line"><span class="cl"> └── patches/ </span></span><span class="line"><span class="cl"> └── resource-limits.yaml </span></span></code></pre></td></tr></table> </div> </div><p>The <code>homelab</code> overlay adds environment-specific settings without modifying the base manifests:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/monitoring/overlays/homelab/patches/resource-limits.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">apps/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prometheus</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">monitoring</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">prometheus</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">requests</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;256Mi&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;100m&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;512Mi&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;500m&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="opagatekeeper-policies-as-code">OPA/Gatekeeper: policies as code </h2><p>Gatekeeper is a Kubernetes admission controller that uses OPA (Open Policy Agent) to evaluate policies written in Rego. Instead of letting any pod deploy with any configuration, policies reject manifests that do not meet security requirements.</p> <p>Active policies:</p> <h3 id="no-containers-running-as-root">No containers running as root </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/policies/gatekeeper/no-root-containers.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">constraints.gatekeeper.sh/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">K8sPSPAllowedUsers</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">psp-pods-allowed-user-ranges</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;Pod&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">excludedNamespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">kube-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">falco</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsUser</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rule</span><span class="p">:</span><span class="w"> </span><span class="l">MustRunAsNonRoot</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsGroup</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rule</span><span class="p">:</span><span class="w"> </span><span class="l">MustRunAs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ranges</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">min</span><span class="p">:</span><span class="w"> </span><span class="m">1000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max</span><span class="p">:</span><span class="w"> </span><span class="m">65535</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="required-resource-limits">Required resource limits </h3><p>Without resource limits, a pod can consume all the node&rsquo;s memory and bring down the cluster. This policy prevents that:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/policies/gatekeeper/require-resource-limits.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">templates.gatekeeper.sh/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ConstraintTemplate</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">k8srequiredresources</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">crd</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">K8sRequiredResources</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">targets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="l">admission.k8s.gatekeeper.sh</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rego</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> package k8srequiredresources </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> violation[{&#34;msg&#34;: msg}] { </span></span></span><span class="line"><span class="cl"><span class="sd"> container := input.review.object.spec.containers[_] </span></span></span><span class="line"><span class="cl"><span class="sd"> not container.resources.limits.memory </span></span></span><span class="line"><span class="cl"><span class="sd"> msg := sprintf(&#34;Container &#39;%v&#39; has no memory limit defined&#34;, [container.name]) </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> violation[{&#34;msg&#34;: msg}] { </span></span></span><span class="line"><span class="cl"><span class="sd"> container := input.review.object.spec.containers[_] </span></span></span><span class="line"><span class="cl"><span class="sd"> not container.resources.limits.cpu </span></span></span><span class="line"><span class="cl"><span class="sd"> msg := sprintf(&#34;Container &#39;%v&#39; has no CPU limit defined&#34;, [container.name]) </span></span></span><span class="line"><span class="cl"><span class="sd"> }</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">constraints.gatekeeper.sh/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">K8sRequiredResources</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-resource-limits</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;Pod&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">excludedNamespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">kube-system</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="trusted-image-registries">Trusted image registries </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/policies/gatekeeper/allowed-registries.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">templates.gatekeeper.sh/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ConstraintTemplate</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">k8sallowedrepos</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">crd</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">K8sAllowedRepos</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">validation</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">openAPIV3Schema</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">object</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">properties</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repos</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">array</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">items</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">string</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">targets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="l">admission.k8s.gatekeeper.sh</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rego</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> package k8sallowedrepos </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> violation[{&#34;msg&#34;: msg}] { </span></span></span><span class="line"><span class="cl"><span class="sd"> container := input.review.object.spec.containers[_] </span></span></span><span class="line"><span class="cl"><span class="sd"> not any_repo_matches(container.image) </span></span></span><span class="line"><span class="cl"><span class="sd"> msg := sprintf(&#34;Image &#39;%v&#39; does not come from an allowed registry&#34;, [container.image]) </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> any_repo_matches(image) { </span></span></span><span class="line"><span class="cl"><span class="sd"> repo := input.parameters.repos[_] </span></span></span><span class="line"><span class="cl"><span class="sd"> startswith(image, repo) </span></span></span><span class="line"><span class="cl"><span class="sd"> }</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">constraints.gatekeeper.sh/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">K8sAllowedRepos</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allowed-registries</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;Pod&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">excludedNamespaces</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">kube-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repos</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;registry.homelab.internal/&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;ghcr.io/my-user/&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;quay.io/prometheus/&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;grafana/&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="seccomp-profiles">Seccomp profiles </h2><p>Seccomp profiles restrict which system calls a container can make. Kubernetes has a default profile (<code>RuntimeDefault</code>) that is already reasonable, but for applications I know well I define tighter profiles.</p> <p>The profiles live in the repository and are deployed as ConfigMaps or directly to the nodes:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="c1">// kubernetes/policies/seccomp/web-app-profile.json </span></span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;defaultAction&#34;</span><span class="p">:</span> <span class="s2">&#34;SCMP_ACT_ERRNO&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;architectures&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;SCMP_ARCH_X86_64&#34;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;syscalls&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;names&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;accept4&#34;</span><span class="p">,</span> <span class="s2">&#34;bind&#34;</span><span class="p">,</span> <span class="s2">&#34;brk&#34;</span><span class="p">,</span> <span class="s2">&#34;clone&#34;</span><span class="p">,</span> <span class="s2">&#34;close&#34;</span><span class="p">,</span> <span class="s2">&#34;connect&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;epoll_create1&#34;</span><span class="p">,</span> <span class="s2">&#34;epoll_ctl&#34;</span><span class="p">,</span> <span class="s2">&#34;epoll_wait&#34;</span><span class="p">,</span> <span class="s2">&#34;execve&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;exit_group&#34;</span><span class="p">,</span> <span class="s2">&#34;fcntl&#34;</span><span class="p">,</span> <span class="s2">&#34;fstat&#34;</span><span class="p">,</span> <span class="s2">&#34;futex&#34;</span><span class="p">,</span> <span class="s2">&#34;getdents64&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;getpid&#34;</span><span class="p">,</span> <span class="s2">&#34;getsockname&#34;</span><span class="p">,</span> <span class="s2">&#34;getsockopt&#34;</span><span class="p">,</span> <span class="s2">&#34;listen&#34;</span><span class="p">,</span> <span class="s2">&#34;lstat&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mmap&#34;</span><span class="p">,</span> <span class="s2">&#34;mprotect&#34;</span><span class="p">,</span> <span class="s2">&#34;munmap&#34;</span><span class="p">,</span> <span class="s2">&#34;nanosleep&#34;</span><span class="p">,</span> <span class="s2">&#34;newfstatat&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;openat&#34;</span><span class="p">,</span> <span class="s2">&#34;poll&#34;</span><span class="p">,</span> <span class="s2">&#34;prctl&#34;</span><span class="p">,</span> <span class="s2">&#34;read&#34;</span><span class="p">,</span> <span class="s2">&#34;recvfrom&#34;</span><span class="p">,</span> <span class="s2">&#34;rt_sigaction&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;rt_sigprocmask&#34;</span><span class="p">,</span> <span class="s2">&#34;rt_sigreturn&#34;</span><span class="p">,</span> <span class="s2">&#34;sendto&#34;</span><span class="p">,</span> <span class="s2">&#34;set_robust_list&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;setsockopt&#34;</span><span class="p">,</span> <span class="s2">&#34;sigaltstack&#34;</span><span class="p">,</span> <span class="s2">&#34;socket&#34;</span><span class="p">,</span> <span class="s2">&#34;stat&#34;</span><span class="p">,</span> <span class="s2">&#34;write&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;action&#34;</span><span class="p">:</span> <span class="s2">&#34;SCMP_ACT_ALLOW&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Referenced from the pod spec:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">seccompProfile</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">Localhost</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">localhostProfile</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;web-app-profile.json&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Building a seccomp profile from scratch is tedious. My approach is to start with <code>RuntimeDefault</code>, use <code>strace</code> to see what syscalls the application actually makes, and then build a tighter profile for workloads I want to restrict further.</p> <h2 id="cicd-pipeline">CI/CD pipeline </h2><p>The repository has a GitLab CI pipeline that automates applying changes. The flow is:</p> <ul> <li>On merge requests: <code>terraform plan</code> and <code>ansible-lint</code> to catch problems before merging</li> <li>On merge to <code>main</code>: <code>terraform apply</code> and, if Ansible files changed, the corresponding playbook</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># .gitlab-ci.yml (excerpt)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">stages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">validate</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">plan</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">apply</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">TF_ROOT</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;${CI_PROJECT_DIR}/terraform/environments&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ANSIBLE_CONFIG</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;${CI_PROJECT_DIR}/ansible/ansible.cfg&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">terraform-validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">validate</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">hashicorp/terraform:1.6</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">cd &#34;$TF_ROOT&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">terraform init -backend=false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">terraform validate</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">changes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">terraform/**/*</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">terraform-plan</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">plan</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">hashicorp/terraform:1.6</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">cd &#34;$TF_ROOT&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">terraform init</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">terraform plan -out=tfplan</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;${TF_ROOT}/tfplan&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">expire_in</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="l">week</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">$CI_PIPELINE_SOURCE == &#34;merge_request_event&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">changes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">terraform/**/*</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">terraform-apply</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">apply</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">hashicorp/terraform:1.6</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">cd &#34;$TF_ROOT&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">terraform init</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">terraform apply -auto-approve</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">changes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">terraform/**/*</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l">manual</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">ansible-lint</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">validate</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">python:3.11-slim</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">pip install ansible ansible-lint</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ansible-lint ansible/</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">changes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ansible/**/*</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The <code>terraform apply</code> is manual — I do not want infrastructure changing automatically without my approval. The plan runs automatically on the MR for visibility.</p> <h2 id="what-i-sanitized">What I sanitized </h2><p>Publishing the repository required reviewing what should not be there:</p> <ul> <li><strong>Internal IPs</strong>: replaced with example ranges (<code>192.168.1.x</code>)</li> <li><strong>Domain names</strong>: the internal homelab domain (<code>homelab.internal</code> in the repo, something different in production)</li> <li><strong>Usernames</strong>: real usernames are not in the repository</li> <li><strong>SSH public keys</strong>: replaced with placeholders</li> <li><strong>Password hashes</strong>: removed from the Ansible inventory</li> <li><strong>Application secrets</strong>: encrypted with SOPS or removed, with an <code>.example</code> file alongside</li> </ul> <p>The rule I followed: if someone with access to my local network could use that information to attack something, it does not go into the repository in plaintext. Everything else can be there.</p> <h2 id="what-is-still-pending">What is still pending </h2><p>There are still things I manage by hand that should be codified:</p> <p><strong>OpenWrt</strong>: the router configuration is the hardest to bring into IaC. There is a Terraform module for OpenWrt that is not very well maintained. For now I manage it with an Ansible script that backs up the configuration and another that restores it. Not idempotent, but it works.</p> <p><strong>TrueNAS</strong>: it has a fairly complete REST API. There is a Terraform provider in development. It is on my radar for the next iteration.</p> <p><strong>Backups</strong>: I have backups, but the process is not in the repository. It lives in another loose script that will eventually end up here.</p> <p>The repository is never &ldquo;finished.&rdquo; What matters is that the current state of the homelab is represented in it, and that any change goes through Git.</p>Infrastructure as code with Terraform: a practical guidehttps://adurrr.github.io/en/p/infrastructure-as-code-with-terraform-a-practical-guide/Sat, 10 Sep 2022 00:00:00 +0000https://adurrr.github.io/en/p/infrastructure-as-code-with-terraform-a-practical-guide/<h2 id="why-infrastructure-as-code-matters">Why infrastructure as code matters </h2><p>Managing infrastructure manually through web consoles or ad-hoc scripts creates problems that pile up over time: inconsistent environments, undocumented changes, impossible rollbacks, and the classic &ldquo;it works on my machine&rdquo; extended to entire servers.</p> <p>Infrastructure as Code (IaC) fixes this by treating infrastructure like application code: it&rsquo;s written, versioned, reviewed, tested, and applied through automated workflows. The benefits show up right away:</p> <ul> <li><strong>Reproducibility</strong>: Spin up identical environments in minutes, not days.</li> <li><strong>Version control</strong>: Every infrastructure change goes through a PR with code review.</li> <li><strong>Documentation by default</strong>: The code <em>is</em> the documentation of what your infrastructure looks like.</li> <li><strong>Disaster recovery</strong>: Rebuild everything from code if a region goes down.</li> <li><strong>Cost visibility</strong>: Review infrastructure changes before they are applied (and before they start costing money).</li> </ul> <h2 id="terraform-vs-other-tools">Terraform vs other tools </h2><p>Several IaC tools exist. Here&rsquo;s how Terraform compares to the main alternatives:</p> <table> <thead> <tr> <th>Feature</th> <th>Terraform</th> <th>Pulumi</th> <th>CloudFormation</th> <th>Ansible</th> </tr> </thead> <tbody> <tr> <td><strong>Language</strong></td> <td>HCL (declarative)</td> <td>Python, TypeScript, Go, etc.</td> <td>JSON/YAML</td> <td>YAML (procedural)</td> </tr> <tr> <td><strong>Cloud support</strong></td> <td>Multi-cloud</td> <td>Multi-cloud</td> <td>AWS only</td> <td>Multi-cloud (via modules)</td> </tr> <tr> <td><strong>State management</strong></td> <td>Explicit state file</td> <td>Managed by Pulumi service</td> <td>Managed by AWS</td> <td>Stateless</td> </tr> <tr> <td><strong>Learning curve</strong></td> <td>Moderate</td> <td>Varies by language</td> <td>Moderate</td> <td>Low</td> </tr> <tr> <td><strong>Ecosystem</strong></td> <td>Huge provider ecosystem</td> <td>Growing</td> <td>AWS-only but deep</td> <td>Huge role ecosystem</td> </tr> <tr> <td><strong>Best for</strong></td> <td>Multi-cloud infra</td> <td>Teams that prefer general-purpose languages</td> <td>AWS-only shops</td> <td>Configuration management</td> </tr> </tbody> </table> <p>Terraform&rsquo;s sweet spot is multi-cloud infrastructure provisioning with a declarative approach. If you&rsquo;re on AWS only and want tight integration, CloudFormation is reasonable. If your team prefers writing Python over HCL, Pulumi deserves a look. But for most teams managing infrastructure across providers, Terraform is the pragmatic choice.</p> <h2 id="core-concepts">Core concepts </h2><h3 id="providers">Providers </h3><p>Providers are plugins that let Terraform interact with APIs — AWS, Azure, GCP, Kubernetes, GitHub, Cloudflare, and hundreds more.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">terraform</span> { </span></span><span class="line"><span class="cl"> <span class="k">required_providers</span> { </span></span><span class="line"><span class="cl"><span class="n"> aws</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> source</span> <span class="o">=</span> <span class="s2">&#34;hashicorp/aws&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> version</span> <span class="o">=</span> <span class="s2">&#34;~&gt; 5.0&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">provider</span> <span class="s2">&#34;aws&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> region</span> <span class="o">=</span> <span class="s2">&#34;eu-west-1&#34;</span> </span></span><span class="line"><span class="cl">} </span></span></code></pre></td></tr></table> </div> </div><h3 id="resources">Resources </h3><p>Resources are the fundamental building blocks. Each resource block describes one infrastructure object.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;aws_instance&#34; &#34;web&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> ami</span> <span class="o">=</span> <span class="s2">&#34;ami-0c55b159cbfafe1f0&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> instance_type</span> <span class="o">=</span> <span class="s2">&#34;t3.micro&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> tags</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> Name</span> <span class="o">=</span> <span class="s2">&#34;web-server&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span></code></pre></td></tr></table> </div> </div><h3 id="state">State </h3><p>Terraform maintains a <strong>state file</strong> that maps your configuration to real-world resources. This is how Terraform knows what exists, what needs to change, and what to destroy. The state file is critical. Losing it means Terraform loses track of your infrastructure.</p> <h3 id="modules">Modules </h3><p>Modules are reusable packages of Terraform configuration. Think of them as functions: they take inputs (variables), create resources, and produce outputs.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">module</span> <span class="s2">&#34;vpc&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> source</span> <span class="o">=</span> <span class="s2">&#34;terraform-aws-modules/vpc/aws&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> version</span> <span class="o">=</span> <span class="s2">&#34;5.1.0&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> name</span> <span class="o">=</span> <span class="s2">&#34;my-vpc&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> cidr</span> <span class="o">=</span> <span class="s2">&#34;10.0.0.0/16&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> azs</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;eu-west-1a&#34;, &#34;eu-west-1b&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n"> private_subnets</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;10.0.1.0/24&#34;, &#34;10.0.2.0/24&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n"> public_subnets</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;10.0.101.0/24&#34;, &#34;10.0.102.0/24&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> enable_nat_gateway</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl">} </span></span></code></pre></td></tr></table> </div> </div><h2 id="practical-example-vpc--ec2">Practical example: VPC + EC2 </h2><p>Here&rsquo;s a complete example that provisions a VPC with a public subnet and an EC2 instance:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">terraform</span> { </span></span><span class="line"><span class="cl"><span class="n"> required_version</span> <span class="o">=</span><span class="n"> &#34;&gt;</span><span class="o">=</span> <span class="m">1</span><span class="p">.</span><span class="m">5</span><span class="p">.</span><span class="m">0</span><span class="err">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">required_providers</span> { </span></span><span class="line"><span class="cl"><span class="n"> aws</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> source</span> <span class="o">=</span> <span class="s2">&#34;hashicorp/aws&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> version</span> <span class="o">=</span> <span class="s2">&#34;~&gt; 5.0&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">provider</span> <span class="s2">&#34;aws&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> region</span> <span class="o">=</span> <span class="s2">&#34;eu-west-1&#34;</span> </span></span><span class="line"><span class="cl">}<span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"># --- Networking --- </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;aws_vpc&#34; &#34;main&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> cidr_block</span> <span class="o">=</span> <span class="s2">&#34;10.0.0.0/16&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> enable_dns_support</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl"><span class="n"> enable_dns_hostnames</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> tags</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> Name</span> <span class="o">=</span> <span class="s2">&#34;main-vpc&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;aws_subnet&#34; &#34;public&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> vpc_id</span> <span class="o">=</span> <span class="k">aws_vpc</span><span class="p">.</span><span class="k">main</span><span class="p">.</span><span class="k">id</span> </span></span><span class="line"><span class="cl"><span class="n"> cidr_block</span> <span class="o">=</span> <span class="s2">&#34;10.0.1.0/24&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> availability_zone</span> <span class="o">=</span> <span class="s2">&#34;eu-west-1a&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> map_public_ip_on_launch</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> tags</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> Name</span> <span class="o">=</span> <span class="s2">&#34;public-subnet&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;aws_internet_gateway&#34; &#34;gw&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> vpc_id</span> <span class="o">=</span> <span class="k">aws_vpc</span><span class="p">.</span><span class="k">main</span><span class="p">.</span><span class="k">id</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> tags</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> Name</span> <span class="o">=</span> <span class="s2">&#34;main-igw&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;aws_route_table&#34; &#34;public&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> vpc_id</span> <span class="o">=</span> <span class="k">aws_vpc</span><span class="p">.</span><span class="k">main</span><span class="p">.</span><span class="k">id</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">route</span> { </span></span><span class="line"><span class="cl"><span class="n"> cidr_block</span> <span class="o">=</span> <span class="s2">&#34;0.0.0.0/0&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> gateway_id</span> <span class="o">=</span> <span class="k">aws_internet_gateway</span><span class="p">.</span><span class="k">gw</span><span class="p">.</span><span class="k">id</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> tags</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> Name</span> <span class="o">=</span> <span class="s2">&#34;public-rt&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;aws_route_table_association&#34; &#34;public&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> subnet_id</span> <span class="o">=</span> <span class="k">aws_subnet</span><span class="p">.</span><span class="k">public</span><span class="p">.</span><span class="k">id</span> </span></span><span class="line"><span class="cl"><span class="n"> route_table_id</span> <span class="o">=</span> <span class="k">aws_route_table</span><span class="p">.</span><span class="k">public</span><span class="p">.</span><span class="k">id</span> </span></span><span class="line"><span class="cl">}<span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"># --- Security Group --- </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;aws_security_group&#34; &#34;web&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> name</span> <span class="o">=</span> <span class="s2">&#34;web-sg&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> description</span> <span class="o">=</span> <span class="s2">&#34;Allow HTTP and SSH&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> vpc_id</span> <span class="o">=</span> <span class="k">aws_vpc</span><span class="p">.</span><span class="k">main</span><span class="p">.</span><span class="k">id</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">ingress</span> { </span></span><span class="line"><span class="cl"><span class="n"> from_port</span> <span class="o">=</span> <span class="m">80</span> </span></span><span class="line"><span class="cl"><span class="n"> to_port</span> <span class="o">=</span> <span class="m">80</span> </span></span><span class="line"><span class="cl"><span class="n"> protocol</span> <span class="o">=</span> <span class="s2">&#34;tcp&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> cidr_blocks</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;0.0.0.0/0&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">ingress</span> { </span></span><span class="line"><span class="cl"><span class="n"> from_port</span> <span class="o">=</span> <span class="m">22</span> </span></span><span class="line"><span class="cl"><span class="n"> to_port</span> <span class="o">=</span> <span class="m">22</span> </span></span><span class="line"><span class="cl"><span class="n"> protocol</span> <span class="o">=</span> <span class="s2">&#34;tcp&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> cidr_blocks</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;YOUR_IP/32&#34;</span><span class="p">]</span><span class="c1"> # Restrict to your IP </span></span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">egress</span> { </span></span><span class="line"><span class="cl"><span class="n"> from_port</span> <span class="o">=</span> <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="n"> to_port</span> <span class="o">=</span> <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="n"> protocol</span> <span class="o">=</span> <span class="s2">&#34;-1&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> cidr_blocks</span> <span class="o">=</span> <span class="p">[</span><span class="s2">&#34;0.0.0.0/0&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">}<span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"># --- EC2 Instance --- </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;aws_instance&#34; &#34;web&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> ami</span> <span class="o">=</span> <span class="s2">&#34;ami-0c55b159cbfafe1f0&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> instance_type</span> <span class="o">=</span> <span class="s2">&#34;t3.micro&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> subnet_id</span> <span class="o">=</span> <span class="k">aws_subnet</span><span class="p">.</span><span class="k">public</span><span class="p">.</span><span class="k">id</span> </span></span><span class="line"><span class="cl"><span class="n"> vpc_security_group_ids</span> <span class="o">=</span> <span class="p">[</span><span class="k">aws_security_group</span><span class="p">.</span><span class="k">web</span><span class="p">.</span><span class="k">id</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> tags</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> Name</span> <span class="o">=</span> <span class="s2">&#34;web-server&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">}<span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"># --- Outputs --- </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">output</span> <span class="s2">&#34;instance_public_ip&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> value</span> <span class="o">=</span> <span class="k">aws_instance</span><span class="p">.</span><span class="k">web</span><span class="p">.</span><span class="k">public_ip</span> </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">output</span> <span class="s2">&#34;vpc_id&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> value</span> <span class="o">=</span> <span class="k">aws_vpc</span><span class="p">.</span><span class="k">main</span><span class="p">.</span><span class="k">id</span> </span></span><span class="line"><span class="cl">} </span></span></code></pre></td></tr></table> </div> </div><h2 id="the-planapply-workflow">The plan/apply workflow </h2><p>Terraform follows a predictable workflow:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 1. Initialize - download providers and modules</span> </span></span><span class="line"><span class="cl">terraform init </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 2. Format - ensure consistent code style</span> </span></span><span class="line"><span class="cl">terraform fmt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 3. Validate - check syntax and configuration</span> </span></span><span class="line"><span class="cl">terraform validate </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 4. Plan - preview what will change (critical step!)</span> </span></span><span class="line"><span class="cl">terraform plan -out<span class="o">=</span>tfplan </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 5. Apply - execute the plan</span> </span></span><span class="line"><span class="cl">terraform apply tfplan </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 6. Destroy - tear down all resources (when needed)</span> </span></span><span class="line"><span class="cl">terraform destroy </span></span></code></pre></td></tr></table> </div> </div><p>The <code>terraform plan</code> step is the most important. Never skip it. Always review the plan output before applying, especially in production. The plan shows you exactly what will be created, modified, or destroyed.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Example plan output</span> </span></span><span class="line"><span class="cl">Plan: <span class="m">6</span> to add, <span class="m">0</span> to change, <span class="m">0</span> to destroy. </span></span></code></pre></td></tr></table> </div> </div><p>In CI/CD pipelines, save the plan to a file (<code>-out=tfplan</code>) and apply that exact plan. This prevents race conditions where infrastructure changes between the plan and apply steps.</p> <h2 id="state-management-best-practices">State management best practices </h2><p>State management is where most Terraform problems originate. Follow these practices:</p> <h3 id="use-a-remote-backend">Use a remote backend </h3><p>Never store state locally or in Git. Use a remote backend with encryption and locking:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">terraform</span> { </span></span><span class="line"><span class="cl"> <span class="k">backend</span> <span class="s2">&#34;s3&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> bucket</span> <span class="o">=</span> <span class="s2">&#34;my-terraform-state&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> key</span> <span class="o">=</span> <span class="s2">&#34;prod/networking/terraform.tfstate&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> region</span> <span class="o">=</span> <span class="s2">&#34;eu-west-1&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> encrypt</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl"><span class="n"> dynamodb_table</span> <span class="o">=</span> <span class="s2">&#34;terraform-locks&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span></code></pre></td></tr></table> </div> </div><p>The DynamoDB table provides <strong>state locking</strong>. This prevents two people or pipelines from modifying the same infrastructure at the same time.</p> <h3 id="organize-state-by-component">Organize state by component </h3><p>Don&rsquo;t put all your infrastructure in one state file. Split by component or team:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">environments</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">prod</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">networking</span><span class="o">/</span> <span class="c1"># VPC, subnets, routes</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">compute</span><span class="o">/</span> <span class="c1"># EC2, ASGs, load balancers</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">database</span><span class="o">/</span> <span class="c1"># RDS instances</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">└──</span> <span class="n">monitoring</span><span class="o">/</span> <span class="c1"># CloudWatch, alerts</span> </span></span><span class="line"><span class="cl"><span class="err">└──</span> <span class="n">staging</span><span class="o">/</span> </span></span><span class="line"><span class="cl"> <span class="err">├──</span> <span class="n">networking</span><span class="o">/</span> </span></span><span class="line"><span class="cl"> <span class="err">├──</span> <span class="n">compute</span><span class="o">/</span> </span></span><span class="line"><span class="cl"> <span class="err">└──</span> <span class="n">database</span><span class="o">/</span> </span></span></code></pre></td></tr></table> </div> </div><p>Smaller state files mean faster plans, smaller blast radius, and fewer teams competing for locks.</p> <h3 id="use-terraform_remote_state-sparingly">Use <code>terraform_remote_state</code> sparingly </h3><p>You can reference outputs from other state files, but use it carefully. Over-reliance on remote state creates tight coupling between components. Prefer passing values through variables or a parameter store.</p> <h2 id="tips-for-production-use">Tips for production use </h2><ol> <li> <p><strong>Pin provider versions.</strong> Use <code>~&gt;</code> constraints to allow patch updates but prevent breaking changes: <code>version = &quot;~&gt; 5.0&quot;</code>.</p> </li> <li> <p><strong>Use workspaces carefully.</strong> Workspaces are useful for simple environment separation but get confusing at scale. Separate directories per environment is usually clearer.</p> </li> <li> <p><strong>Implement a CI/CD pipeline for Terraform.</strong> Run <code>terraform plan</code> on PRs and post the output as a PR comment. Run <code>terraform apply</code> only after merge and approval.</p> </li> <li> <p><strong>Use <code>prevent_destroy</code> for critical resources.</strong> This lifecycle rule stops accidental destruction of databases or persistent storage:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;aws_db_instance&#34; &#34;main&#34;</span> {<span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"> # ... </span></span></span><span class="line"><span class="cl"> <span class="k">lifecycle</span> { </span></span><span class="line"><span class="cl"><span class="n"> prevent_destroy</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span></code></pre></td></tr></table> </div> </div></li> <li> <p><strong>Tag everything.</strong> Use a <code>default_tags</code> block in the provider to ensure every resource gets standard tags (environment, team, project).</p> </li> <li> <p><strong>Use <code>tflint</code> and <code>checkov</code>.</strong> Lint your Terraform code and scan for security misconfigurations before applying.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tflint --init </span></span><span class="line"><span class="cl">tflint </span></span><span class="line"><span class="cl">checkov -d . </span></span></code></pre></td></tr></table> </div> </div></li> <li> <p><strong>Import existing resources.</strong> If you have manually created infrastructure, use <code>terraform import</code> to bring it under management instead of recreating it.</p> </li> <li> <p><strong>Review the plan diff carefully.</strong> A resource showing &ldquo;destroy and recreate&rdquo; might cause downtime. Understand which changes are in-place versus destructive.</p> </li> </ol> <p>Terraform is one of those tools that rewards discipline. The more consistently you follow these practices, the more confidently your team manages infrastructure at scale.</p>