Intro­duc­tion

Infra­struc­ture-as-Code (IaC) is one of the best DevOps prac­ti­ces which acce­le­ra­tes deve­lo­p­ment and increa­ses the qua­lity of deploy­ments. IaC has become a true indus­try stan­dard. We observe that many of our cus­to­mers who start their cloud jour­ney adopt IaC, and spe­ci­fi­cally Ter­ra­form, from the very begin­ning. In our pre­vious post, we have loo­ked at dif­fe­rent IaC tools. In the cur­rent blog, we would like to pre­sent the latest IaC deve­lo­p­ments and trends and share our experience.

Impro­ved test­ing capabilities

Ter­ra­form offe­red dif­fe­rent kinds of vali­da­ti­ons such as input varia­ble vali­da­tionresource pre­con­di­ti­ons and post­con­di­ti­ons, and check blocks for a long time. Finally, Ter­ra­form has laun­ched a more powerful frame­work for unit and inte­gra­tion tests. Many things that pre­viously had to be imple­men­ted manu­ally using other pro­gramming lan­guages and frame­works are now pos­si­ble with HCL. The new frame­work intro­du­ced new file for­mats such as .tftest.hcl and .tftest.json as well as a new Ter­ra­form CLI com­mand „test“.

The main capa­bi­lity of the frame­work is to per­form tests on the real-world infra­struc­ture. Per default, the Ter­ra­form test com­mand applies test con­fi­gu­ra­ti­ons, but the beha­viour can be chan­ged to plan only. Optio­nal asser­ti­ons can be defi­ned which can refer to varia­bles, resource attri­bu­tes and built-in func­tions, but exe­cu­ting a cus­tom script in an asser­tion is not pos­si­ble. A work­around for using cus­tom scripts can be to embed them in the shell resource pro­vi­der or simi­lar and then read the out­put of the resource or data source in the assertion. 

The new frame­work will also auto­ma­ti­cally des­troy the infra­struc­ture pro­vi­sio­ned during a test after the test is finis­hed. This aspect is not useful, since post-apply ana­ly­sis can be very useful for debug­ging in some case. An option to skip des­truc­tion is not imple­men­ted yet. 

An advan­tage of the Ter­ra­form test is the intro­duc­tion of run-blocks. Each run-block can refer to a spe­ci­fic test case or module and over­ride the varia­ble and pro­vi­der con­fi­gu­ra­tion. This gives a great fle­xi­bi­lity for tests that require some initial setup which is not the part of the main infra­struc­ture code. The initial setup can be imple­men­ted by a run-block with a refe­rence to a dedi­ca­ted test module. 

Finally, Ter­ra­form is able to acce­le­rate the test­ing pro­cess by using mock-pro­vi­ders wit­hout pro­vi­sio­ning real-world infra­struc­ture. This func­tion is par­ti­cu­larly useful for test­ing large infra­struc­tures or resour­ces with a long deploy­ment time and for a large num­ber of tests with dif­fe­rent para­me­ter values.

Licen­sing Changes

Hash­i­Corp has chan­ged its source code license from Mozilla Public License v2.0 (MPL 2.0) to the Busi­ness Source License (BSL). This decis­ion is moti­va­ted by the lack of valuable con­tri­bu­ti­ons to HashiCorp’s OSS from some other com­mer­cial ven­dors using this OSS. The new license model pro­hi­bits, among others, the pro­duc­tion usage of Ter­ra­form which com­pe­tes with HashiCorp’s paid offers. Thus, many use cases remain unaf­fec­ted by the licen­sing change. 

Howe­ver, for cus­to­mers using the Ter­ra­grunt exten­sion for Ter­ra­form, a rest­ric­tion to the under­ly­ing Ter­ra­form ver­sion (v1.5.5 or older) has been intro­du­ced. As a reac­tion, Ter­ra­grunt and other ven­dors have foun­ded Open­Tofu, a fork of Ter­ra­form which is open-source, com­mu­nity-dri­ven, and mana­ged by the Linux Foun­da­tion. Open­Tofu is alre­ady GA and its com­mu­nity will con­ti­nuously imple­ment important fea­tures com­pa­ti­ble with future Ter­ra­form releases.

Time for the Cloud Edition?

When working with Ter­ra­form it is also about deci­ding which edi­tion (self-hos­ted, cloud or enter­prise) to use. Each option has its bene­fits and drawbacks. 

Ter­ra­form Cloud and respec­tively Enter­prise have gai­ned fur­ther impro­ve­ments such as dyna­mic pro­vi­der cre­den­ti­als, drift detec­tion, stacks, third-party tools inte­gra­tion and policy eva­lua­tion. Note that Ter­ra­form Cloud is even free for up to 500 resour­ces per month. The latest chan­ges make Ter­ra­form Cloud/Enterprise even more attrac­tive. Howe­ver, there are still some points to consider. 

First of all, it is about data secu­rity and the aut­ho­ri­sed sto­rage loca­ti­ons for data. Many Euro­pean com­pa­nies rest­rict the store loca­tion to the EU. In this case, Ter­ra­form Cloud, which stores all cus­to­mer data in the United Sta­tes, is not an option. If Cloud fea­tures are still requi­red, then Ter­ra­form Enter­prise is the choice which is a self-hos­ted ver­sion of Ter­ra­form Cloud and, con­se­quently, requi­res more instal­la­tion and admi­nis­tra­tion work.

Alt­hough Cloud and Enter­prise edi­ti­ons pro­vide cus­to­mers an all-in-one tool to deve­lop and ope­rate IaC, a good por­tion of its fea­ture, e.g. state and cre­den­ti­als manage­ment, RBAC, drift detec­tion, can be quite easily imple­men­ted by other DevOps frame­works and public cloud ser­vices. From our expe­ri­ence, the Ter­ra­form com­mu­nity edi­tion is more than suf­fi­ci­ent for the most use cases, but of course the scale of infra­struc­ture matters. 

Loo­king at Competitors

Among other IaC tools, it is only Pulumi which can poten­ti­ally com­pete with Ter­ra­form. The important cri­te­rium is the num­ber of sup­ported resource pro­vi­ders. Pulumi has laun­ched its regis­try in 2021 with sup­port for 64 lea­ding cloud pro­vi­ders and offers today over 150 packa­ges. Ter­ra­form Regis­try over­w­helms this num­ber with over 3800 pro­vi­ders. Simi­lar rela­tion reflects on the num­ber of cus­to­mers which are 2000 and 40000 for Pulumi and Ter­ra­form, respec­tively. Ter­ra­form cle­arly stays an indus­try lea­der for IaC. 

Howe­ver, Pulumi keeps gro­wing and attracts new fun­ding. Pulumi was from the very begin­ning tar­ge­ted at wri­ting IaC code in popu­lar pro­gramming lan­guages such as TypeScript/JavaScript, Python, Go, C#, Java, and YAML. In con­trast, Ter­ra­form has first released its cloud deve­lo­p­ment kit (CDKTF) for gene­ral avai­la­bi­lity in 2022. In the mean­time, CDKTF offers about 110 imple­men­ted pro­vi­ders and is some­what behind Pulumi. 

Sum­mary

We have made a review of, in our opi­nion, the most important trends in IaC world with the focus on Ter­ra­form as a lea­der. As expec­ted, Ter­ra­form has brought many new valuable fea­tures to the mar­ket in the last year and still remained OSS for our use cases. At the same time, it is exi­ting to observe the raise of other OSS IaC pro­jects. Cle­arly, there is no con­so­li­da­tion in the deve­lo­per com­mu­nity yet. We will con­ti­nue to pur­sue this deve­lo­p­ment in our next blogs.