Gokul Pisharody's Blog

Day-4-terraform

Understanding Terraform State: A Deep Dive into Remote Backends and State Locking

Gokul Pisharody's photo
Gokul Pisharody
·

6 min read

TLDR: This blog post explores the concept of Terraform state files, their advantages and disadvantages, and how to implement remote backends using AWS S3. It also covers the importance of state file locking and how to implement it using DynamoDB, providing a comprehensive guide for DevOps engineers.

In this blog post, we will explore the concept of Terraform state files, their significance in managing infrastructure, and the challenges associated with them. We will also discuss how to implement remote backends using AWS S3 to enhance security and collaboration among DevOps teams. Finally, we will cover the importance of state file locking and how to implement it using DynamoDB.

Terraform → state file (terraform.tfstate) → recording the information about the infrastructure that has been created
terraform apply → compare → already created infrastructure & creating infrastructure
already created infrastructure → ec2 → name,type,ami
creating infrastructure → ec2 → name,type,ami ,tag
so only tag is updated , and other feature will remain same (name,type,ami)
Terraform → issue
→updated code + updated state file (after→terraform apply) → both should be pushed → github
updated state file → not pushed , updated code → only pushed to github
state file will get corrupted → when other will pull the code from github → code is updated , but state file is not
state file in local === code in github
remote backend → backend.tf
updated state file (after→terraform apply) → s3 bucket / terraform cloud
updated code→ github
state file in s3 === code in github
terraform init → pull state file from s3

code

# main.tf
provider "aws" {
  region = "us-east-1"
}

resource "aws_instance" "abhishek" {
  instance_type = "t2.micro"
  ami = "ami-053b0d53c279acc90" # change this
  subnet_id = "subnet-019ea91ed9b5252e7" # change this
}

resource "aws_s3_bucket" "s3_bucket" {
  bucket = "abhishek-s3-demo-xyz" # change this
}

# -> i-pa ->create s3 bucket -> delete local terraform.tfstate -> create backend.tf

# backend.tf
terraform {
  backend "s3" {
    bucket         = "abhishek-s3-demo-xyz" # change this
    key            = "abhi/terraform.tfstate"
    region         = "us-east-1"
  }
}

# bucket name of  main.tf === bucket name of backend.tf 
# terraform init -> try to pull state file from s3
# terraform apply -> push state file to s3
s3 → abhishek-s3-demo-xyz → abhi (folder)→ terraform.tfstate
terraform show → read state file from s3 bucket
state → locking → only a single person can perform a task at a time → dynamo db
 
# main.tf
provider "aws" {
  region = "us-east-1"
}

resource "aws_instance" "abhishek" {
  instance_type = "t2.micro"
  ami = "ami-053b0d53c279acc90" # change this
  subnet_id = "subnet-019ea91ed9b5252e7" # change this
}

resource "aws_s3_bucket" "s3_bucket" {
  bucket = "abhishek-s3-demo-xyz" # change this
}

resource "aws_dynamodb_table" "terraform_lock" {
  name           = "terraform-lock"
  billing_mode   = "PAY_PER_REQUEST"
  hash_key       = "LockID"

  attribute {
    name = "LockID"
    type = "S"
  }
}

# -> i-pa ->create dynamodb_table -> create backend.tf

# backend.tf 
terraform {
  backend "s3" {
    bucket         = "abhishek-s3-demo-xyz" # s3_bucket name from above
    key            = "abhi/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "terraform-lock"   # dynamo_db name from above
  }
}

# dynamodb name of  main.tf === dynamodb name of backend.tf

What is a Terraform State File?

The Terraform state file is a crucial component of Terraform's infrastructure management. It acts as the heart of Terraform, recording the information about the infrastructure that has been created. For instance, when you define a resource like an EC2 instance in your Terraform configuration and execute terraform apply, Terraform creates the resource and stores its details in the state file. This includes information such as the instance type, AMI ID, and instance name.

Advantages of Using a State File

  1. Infrastructure Tracking: The state file allows Terraform to keep track of the resources it manages. This is essential for updating or destroying resources accurately.

  2. Automation: By using the state file, Terraform can automate infrastructure changes without needing manual intervention through the AWS UI.

  3. Change Management: When you modify your Terraform configuration, Terraform compares the current state with the desired state recorded in the state file, allowing it to determine what changes need to be applied.

Disadvantages of Using a State File

While the state file offers numerous advantages, it also presents some challenges:

  1. Sensitive Information: The state file may contain sensitive data such as passwords or API tokens. If not handled properly, this information can be exposed to unauthorized users.

  2. Version Control Issues: Storing the state file in a version control system (VCS) can lead to complications. If multiple team members modify the infrastructure without updating the state file, it can result in inconsistencies and errors.

Addressing State File Challenges with Remote Backends

To mitigate the drawbacks of using a local state file, Terraform provides the concept of remote backends. Remote backends allow you to store the state file in a secure external location, such as an AWS S3 bucket.

Implementing Remote Backends with AWS S3

  1. Configuration: To use S3 as a remote backend, you need to create an S3 bucket and configure your Terraform project to use it. This involves creating a backend.tf file with the necessary configuration details, including the bucket name, region, and key.

  2. Security: By storing the state file in S3, you can leverage AWS IAM policies to restrict access, ensuring that only authorized users can access sensitive information.

  3. Automatic Updates: When using a remote backend, the state file is automatically updated in S3 whenever you run terraform apply, eliminating the need for team members to manage the state file manually.

State File Locking with DynamoDB

State file locking is essential in a collaborative environment where multiple team members may attempt to modify the infrastructure simultaneously. Terraform uses a locking mechanism to prevent conflicts and ensure that only one operation can modify the state file at a time.

Implementing State Locking with DynamoDB

  1. DynamoDB Table: To implement state locking, you can create a DynamoDB table that Terraform will use to manage locks. The table should have a primary key to uniquely identify the lock.

  2. Configuration: In your backend.tf file, you can specify the DynamoDB table name in the backend configuration. This allows Terraform to check for existing locks before proceeding with any operations.

  3. Lock Management: When a user runs a Terraform command, Terraform will attempt to acquire a lock in the DynamoDB table. If another user holds the lock, Terraform will prompt the second user to wait until the lock is released.

Conclusion

In this blog post, we have delved into the importance of Terraform state files, the advantages and disadvantages they present, and how to effectively manage them using remote backends and state locking mechanisms. By implementing these practices, DevOps teams can enhance collaboration, security, and efficiency in their infrastructure management processes.

Feel free to reach out with any questions or feedback in the comments section. Thank you for reading!

Remote BackendsTerraformstate locking