The DevOps Jedi

Taking the cloud by storm one line of code at a time....

How I Protect Secrets In Terraform Configurations

2023-01-213 min readDarren Johnson

I have already touched on the importance of Terraform state in a previous post, but I wanted to expand on this from a security perspective.

Let’s get this out the way now, Terraform stores secrets in its state file in plain text! There I said it.

So how do I protect against secrets being revealed that could allow an attacker to compromise my systems? Well, I use a defence in depth strategy in a number of ways.

Continue Reading...

Use Of Terraform Child Modules

2023-01-203 min readDarren Johnson

Terraform uses the construct of a module, which is defined by HashiCorp as “a set of Terraform configuration files in a single directory”.

The root module consists of resources defined in the main working directory (which I like to refer to as the ’execution folder’). However, you can also call other modules to include their configuration. These are known as child modules which can be shared and reused by multiple root module configurations. Sounds good, doesn’t it?

Continue Reading...

How To Generate JSON With Terraform Without Using Heredoc Strings

2023-01-084 min readDarren Johnson

This is something I’ve only recently discovered but thought it was worth sharing here.

I have a few configurations where I need to pass JSON to Terraform to process. The most used resource where I do this is azurerm_virtual_machine_extension. The example HashiCorp documentation still shows the use of Heredoc strings which is probably why I hadn’t picked up on it until now.

I recently discovered a HashiCorp article where they tell you that by using the jsonencode and yamlencode functions “Terraform can be responsible for guaranteeing valid JSON or YAML syntax”. This sounded good to me as JSON syntax is not very forgiving, and it is designed to be read and processed by machines (not humans). If you put a comma or a bracket in the wrong place, you will soon be in a whole world of pain. The same is true for YAML and indentations.

Continue Reading...

How I Structure Terraform Folders & Apply Naming Standards

2023-01-075 min readDarren Johnson

When I started using Terraform in 2018 the content online was mainly written from a developer’s perspective and was based on deploying resources into AWS. This was a great starting point, but the key messages in the blogs I read were all fairly consistent and seemed to align to the excellent blog series by Yevgeniy Brikman from 2016 which is well worth a read.

So, I read the series, took all the key messages onboard and started deploying resources into Azure. However, as our environment began to scale and more engineers came onboard, it was soon clear I needed to formalise our ways of working to ensure everyone followed a standard approach as we wouldn’t be operating the ‘you build it you run it’ model. This meant that once cloud services were provisioned and live, they needed to be handed over to operations who would also need to understand the Terraform configuration.

Continue Reading...