Terraform 0.12

I honestly love Terraform as a product. It was one of probably three tools I've used in my entire career that made me feel immediately more productive. After using it for a very short period of time I was shocked developers continued to struggle through CF templates and the fragility the whole process entailed.

My biggest hope is that this means that some effort can be directed back to fixing bugs. I love what terraform can do, but I hate what I sometimes need to write to make it work.<p>Also, I&#x27;ll go out on a limb and say that I dislike the flexibility of iteration allowed in HCL 2. I know that people overwhelmingly asked for it, but my opinion is that it demonstrates a fundamental misunderstanding of how the v. 11 and earlier system was designed, and just how powerful completely declarative code can be.

We are very heavy users of terraform. We have thousands of lines of HCL and our own providers etc...<p>Terraform 0.x before 0.12 was heavily limited due to the syntax, you just worked around so many limitations. We are actively ignoring those limitations and we started working without our own templates using jinja that just generate vanilla terraform. No counts and no if&#x2F;else needed.<p>Maybe with .12 we can move some of these back to plain terraform.<p>Upgrade so far is not smooth though, there are a lot of pains with the type system vs the plain old “I’ll figure it out for you”.<p>ALL of this being said, I really appreciate Hashicorp’s work on this, we could not imagine our life without terraform.

Terraform is an amazing piece of technology but the biggest thing holding it back is HCL. I guess the intention was for it to serve as a happy middle ground between a full blown programming language and a configuration language - enabling some abstractions, but yet rigid enough to stop developers getting too carried away. I think unfortunately that trying to have it both ways doesn&#x27;t really work and ends up leaving those writing the code frustrated - it&#x27;s almost as if it&#x27;s teasing you - you can feel there&#x27;s all this power under the hood and you are given things like modules which are nice, but you always feel like you&#x27;re on a of short leash.<p>I switched from Terraform to Pulumi for a personal project recently and haven&#x27;t looked back (no affiliation). Writing it with Typescript means you get excellent IDE support (using VSCode here) and access to the enormous JS ecosystem. I&#x27;ve also found myself creating a number of useful abstractions - that I would never have bothered to with HCL - like IAM helper functions, eg:<p><pre><code> const limitedReadAccessPolicy = createPolicy( &quot;product-table-read-access&quot;, allow( [&quot;dynamodb:Get*&quot;, &quot;dynamodb:Query&quot;], [table.arn, interpolate`${table.arn}&#x2F;index&#x2F;*`] ) ); </code></pre> vs<p><pre><code> resource &quot;aws_iam_policy&quot; &quot;product_read_access&quot; { name = &quot;madu_${var.env_name}_product_read&quot; policy = &lt;&lt;EOF { &quot;Version&quot;: &quot;2012-10-17&quot;, &quot;Statement&quot;: [ { &quot;Action&quot;: [ &quot;dynamodb:Get*&quot;, &quot;dynamodb:Query&quot; ], &quot;Effect&quot;: &quot;Allow&quot;, &quot;Resource&quot;: [ &quot;${aws_dynamodb_table.products.arn}&quot;, &quot;${aws_dynamodb_table.products.arn}&#x2F;index&#x2F;*&quot; ] } ] } EOF }</code></pre>

Terraform and Packer are the two most common tools I use with my DevOps consulting company. Most all of my clients previously were creating cloud resources manually within the U&#x2F;I control panel. Moving to Terraform is a game changer in terms of transparency, auditability, and automation. With the release of Terraform Cloud[1] which provides centralized state storage, locking, history, and integration with GitHub the HashiCorp stack is a no-brainer.<p>[1] <a href="https:&#x2F;&#x2F;app.terraform.io&#x2F;signup?utm_source=banner&amp;utm_campaign=intro_tf_cloud_remote" rel="nofollow">https:&#x2F;&#x2F;app.terraform.io&#x2F;signup?utm_source=banner&amp;utm_campai...</a>

Congratulations to the team for a monumental release! The significance of the changes involved to ship 0.12 seems understated. This release paves the path to implement many highly requested features and fixes. Most noteworthy of which, in my opinion, is module counts.

I’ve been very excited for this release. I’m a huge fan of Terraform—When I first started using it I quickly couldn’t imagine working without it, despite its many rough edges. But it continues to improve (I can think of very few projects that have had such large and consistent improvement) and this release is another huge step forward. Props to Hashicorp for the great work.

If you love terraform, please also look at Pulumi (I have no affiliation with them).<p><a href="https:&#x2F;&#x2F;pulumi.io&#x2F;reference&#x2F;vs&#x2F;terraform.html" rel="nofollow">https:&#x2F;&#x2F;pulumi.io&#x2F;reference&#x2F;vs&#x2F;terraform.html</a><p><a href="https:&#x2F;&#x2F;github.com&#x2F;pulumi&#x2F;tf2pulumi" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;pulumi&#x2F;tf2pulumi</a>

I work heavily with the Deployment Manager from GCP, so I am basically used to describe the infrastructure using python. What seriously bugged me about TF is how difficult it was to do simple stuff like having a nested loop within a resource. I know that 0.12 is supposed to help there and I am looking forward to the moment where TF will evolve into a proper programming language, supporting saner formats (already happening with json integration).

As someone using Terraform from it&#x27;s first release on I still think that Terraform has one fundamental flaw:<p>It always looks at things using provider specific resource, while IMHO it should just expose a bunch of predefined resource types (see rOCCI specs e.g.) and then allow you to attach a specific provider to it.<p>IMHO the biggest win as a user would be having not to have an implementation for every provider over and over. Do we really need to have a consul module for Azure, AWS, Tudeluuu and god knows who? No.<p>That being said, Terraform in the long run still is the most reliable tool in that space.<p>The whole situation about state management is... lacking. Experience says the one thing no client ever wants in the cloud but always on prem is state.

Question that&#x27;s been bugging me and I haven&#x27;t quite wrapped my head around --<p>For light usage, I find managing Terraform&#x27;s state to be a significant hurdle. You basically have no choice but to set up secure remote storage unless you want to check passwords into source control. In contrast `kubectl apply` is so easy to use since it&#x27;s stateless. It just creates or updates any resources provided, and it even supports --prune if you want the set of configuration to be treated as comprehensive.<p>It seems like the main things that Terraform adds:<p>1. The ability to work with providers that require you to store their generated IDs to reference later. With kubernetes, the kind and name of the resource is enough to identify it; it does get assigned a UID, but you don&#x27;t have to include that in the configuration since keys that are excluded are left as-is.<p>2. The ability to work with multiple different providers. I&#x27;m not sure how often you do have a single terraform project(is that the term?) with more than one provider, but I guess using the same set of tools, even if the configuration is provider-dependent, is nice.<p>Is that accurate? Does Terraform offer any other advantages?<p>If you were building a configuration mechanism for your system from scratch to allow your users to configure it as code, would you make .a Terraform provider over a command line tool that can apply [--prune] that same configuration?

I&#x27;ve been chasing infrastructure-as-code for a while, but I keep getting blocked by Terraform missing provider APIs (GCP Cloud Function Runtimes outside Nodejs, most recently), Kubernetes complexity, and generally being too lazy to sit down and bang out something in code that I can quickly iterate on with a console or quick CLI commands. I&#x27;ve had some wins with Serverless Framework, but outside that I&#x27;ve yet to see the payoff from the time I have put towards it. Am I defective?

The upgrade path for this has been an absolute nightmare, made worse by the fact that we sat on the `google` provider 1.16 (lots of GKE stuff like node taints was moved out to `google-beta` in `google` 2.0 and TF 0.12 requires `google` 2.5 at least). There isn&#x27;t even a straightforward transformation for many things. I get why it&#x27;s this way, but brace yourself.<p>I also made the mistake of `terraform plan`ning and updating my code as I went along. Just use `terraform validate`. Otherwise you&#x27;re going to inadvertently promote the statefile before you&#x27;re done dealing with all the issues (and you don&#x27;t want that because it prevents you from aborting your upgrade and switching back to 0.11 till you&#x27;re all ready). Not a real problem because the statefile is versioned but an annoyance nonetheless.<p>The type issues were mostly easy to deal with, except for where things that were assignments now being blocks. For instance, look at this:<p><pre><code> master_authorized_networks_config { cidr_blocks { cidr_block = &quot;10.0.0.0&#x2F;8&quot; display_name = &quot;Example &#x2F;8&quot; } cidr_blocks { cidr_block = &quot;10.1.2.3&#x2F;32&quot; display_name = &quot;Example &#x2F;32&quot; } } </code></pre> That looked like:<p><pre><code> master_authorized_networks_config = { cidr_blocks = [ { cidr_block = &quot;10.0.0.0&#x2F;8&quot; display_name = &quot;Example &#x2F;8&quot; }, { cidr_block = &quot;10.1.2.3&#x2F;32&quot; display_name = &quot;Example &#x2F;32&quot; }, ] } </code></pre> before and `terraform 0.12upgrade` isn&#x27;t about to help you navigate this. Especially if you previously assigned from a variable. In that case, it&#x27;s going to make this monstrosity of a `for_each` over that thing. Jesus Christ.<p>Still, I&#x27;m thrilled for the new stuff with the more type-safety. Not going to complain. If this is the price, then I&#x27;ll pay. I just wish they&#x27;d done more to help the upgrade, but it&#x27;s an 0.x release so fine.

Good stuff. It looks like they&#x27;ve addressed a few of the ergonomic issues in their language with this release. The old way of doing iteration and having to use string interpolations just to reference variables were annoying.

I’m a little unclear on terraform in practice.<p>As you supposed to download this, use it’s language and syntax which is all it’s own thing, to define you services and then export that to a YAML setup that AWS CloudFormation (for example) is expecting?<p>I assume there are reasons I wouldn’t just define it myself in YAML directly?

People often complain about HCL being very limiting, that they are sick of templating HCL, etc.<p>Has anyone tried the approach of writing some go code that imports terraform, rather than using the terraform CLI? This would give you the full power of golang to set up your resources.

First of all, I don&#x27;t want to dismiss the fact that terraform is a great tool and mostly on the right path.<p>But HCL is giving me Puppet DSL PTSD.<p>Folks at Hashicorp should just embed JS engine and let users write definitions using a real language (JS).<p>It&#x27;s totally doable using library such-as Otto.

For a second I confused this with TerraGen (<a href="https:&#x2F;&#x2F;planetside.co.uk&#x2F;" rel="nofollow">https:&#x2F;&#x2F;planetside.co.uk&#x2F;</a>) and got all excited about reliving a nostalgic youth.

From a language and semantics perspective, any comparisons to Nix?

Language improvement is nowhere match to what Pululmi brings to the table without sacrificing any features.

Terraform still isn&#x27;t stable?<p>On the other hand, I&#x27;m usong React-Native, lol

Finally

&gt; Terraform 0.12 is a major update<p>Looks like a minor update to me...

I moved away from Terraform a long time ago. Ansible was way more powerful, handled errors and issues with state changes. Terraform was super picky about how you had to operate, slow and HCL was a terrible markup language. I wasn&#x27;t really a huge fan of Ansible either though and more recently have been doing things in regular shell&#x2F;Bash scripts. Now with Kubernetes and service brokers, there is no need for Terraform.