Terraform with Microsoft Azure – Terraform State – Part 3

Hi Friends,

In this section, we will continue from the last post and discuss what is state management in terraform. During the process we will gain knowledge about how to save, share and lock states. We will also understand what is the significance of using terraform state.

Having said that, let’s get started.

Terraform State:-

Terraform state basically allows you to know what is deployed on the target machine, what configuration it had. States also hold sensitive information say passwords, connection strings, other required admin attributes. Therefore, in a nutshell, terraform needs to maintain state between various deployments.

Normally, terraform state gets generated with its very first deployment itself. This file will keep updating with different builds. But, normally its not a good practice to keep the terraform states in local machine for various reasons like:

  • Local state doesn’t work well in a team or collaborative environment.
  • Terraform state can include sensitive information.
  • Storing state locally increases the chance of inadvertent deletion.

That’s why terraform recommends to save states remotely rather locally. Terraform states also provide feature like resource locking which is normally used while deploying via pipelines on the same infrastructure.  Next, we need to persist terraform state to remote location say on Azure Storage.

Configure Storage Account

We need to create azure storage account before we apply state changes to remote location. This script can help you achieve the same.

You need to run below script to setup the infrastructure in Azure CLI. You need to click on the shell icon in azure portal. This will show below setup message, if you are doing this for the first time.

 

Click on Create storage button and then select bash as option. Then, paste the script and it will start like shown below. Make sure you use unique name for the Key-Vault.  

Upon successful creation, it will appear like  

At this point, you can verify azure portal and check the resource group. You will see that all the files created correctly. Ignore the other storage as I ran the script twice, hence it got created.  

 

Configure State Backend

The Terraform state backend is configured once we run terraform init command. The following data is required to configure the state backend.

  • storage_account_name: The name of the Azure Storage account.
  • container_name: The name of the blob container.
  • key: The name of the state store file to be created.
  • access_key: The storage access key.

Each of these values can be used in terraform script or command line.

Now, we can run terraform init command. This will appear like shown below on successful execution.

Next, we need to apply the same using terraform apply command.

Enter yes and continue. Upon successful execution, it will come like

At this stage, we can verify that following resources are created in newly created Resource Group like shown below.

At this stage, when I check my blob container, I can see required state store file created.

At this stage I can view/edit blob like shown below.

Also, when I click on the state which got created, it will appear like

Currently, its in Unlocked state as its not leased yet. Let’s do this manually. Click on Acquire lease button. Upon clicking the same, it came like

 

This is one way of applying state changes. However, in this case, we haven’t used vaults. Hence, from security perspective, its still vulnerable. We will see the same example using Vault in next demo. Till then stay tuned and Happy Coding.

You can refer the code at https://github.com/rahulsahay19/terraform-basics.

In order to learn Azure from scratch, you can check my new book

You can read this on Amazon

Thanks,
Rahul Sahay
Happy Coding

396 total views, 1 views today