state management in terraform

0
votes

I'm building terraform scripts to orcastrate Azure deployment. I used Azure blob storage to store a tfstate file. This file is shared with several pipelines IAC pipelines.

If for instance I create an Azure Resource Group with terraform, when that is done, I try to create a new custom role, terraform plan will mark the Resource Group for destruction.

This is the script for the role creation:

terraform {
  backend "azurerm" {
    storage_account_name = "saiac"
    container_name       = "tfstate"
    key                  = "dev.terraform.tfstate"
    resource_group_name  = "rg-devops"
  }
}

data "azurerm_subscription" "primary" {
}

resource "azurerm_role_definition" "roles" {
  count              = length(var.roles)
  name               = "${var.role_prefix}${var.roles[count.index]["suffix_name"]}${var.role_suffix}"
  scope              = "${data.azurerm_subscription.primary.id}"

  permissions {
    actions = split(",", var.roles[count.index]["actions"])

    not_actions = split(",", var.roles[count.index]["not_actions"])
  }

  assignable_scopes = ["${data.azurerm_subscription.primary.id}"]
}

and this is script for resource group creation:

terraform {
  backend "azurerm" {
    storage_account_name = "saiac"
    container_name       = "tfstate"
    key                  = "dev.terraform.tfstate"
    resource_group_name  = "rg-devops"
  }
}

resource "azurerm_resource_group" "rg" {
  count         = "${length(var.rg_purposes)}"
  name          = "${var.rg_prefix}-${var.rg_postfix}-${var.rg_purposes[count.index]}"
  location      = "${var.rg_location}"
  tags          = "${var.rg_tags}" 
}

If I remove the backend block, everything works as expected, does that mean I need the backend block?

2
azureterraform

2 Answers

1
votes

Terraform use the .tfstate file to check and compare your code and existing cloud infra structure, it is like backbone of terraform. If your code and existing infra is differe, terraform will destroy it and apply code changes. To overcome this, terraform provides the import facility, you can import the existing resource and terraform will update it's .tfstate file. This .tfstate file must be specify into your backend.tf file,best practices is to store your .tfstate file on cloude storage not in local directory. When you run the terraform init command, it will check for the .tfstate file. below is the sample file for backend.tf file (aws s3 is used):

  backend "s3" {
    bucket  = "backends.terraform.file"
    key     = "my-terraform.tfstate_key"
    region  = "my-region-1"
    encrypt = "false"
    acl     = "bucket-owner-full-control"
  }
}
1
votes

A terraform backend is not required for terraform. If you do not use it however no one else will be able to pull your code and run your terraform. The state will ONLY be stored in your .terraform directory. This means if you lose your local files your in trouble. It is recommended to use a backend that also supports state locking which azurerm does. With a backend in place the state will get pulled on terraform init after pulling the repo.