Terraform Workspaces Are Bad Actually, And Here's Why.

Поделиться
HTML-код
  • Опубликовано: 27 дек 2024

Комментарии • 26

  • @NedintheCloud
    @NedintheCloud  Год назад

    Are you using Terraform OSS workspaces for today? Do you agree with HashiCorp's guidance?

  • @Max-cq6hl
    @Max-cq6hl 8 месяцев назад +2

    Thanks for explanation. So in regards to possible alternatives, you mentioned a few. Would really love to hear your vision on best alternative. What is the best practice for separating environments when not using workspaces?

    • @NedintheCloud
      @NedintheCloud  8 месяцев назад +1

      My current preference is to use branches in Git. The other most popular way is to use a single config with different tfvars files and use the automation platform to configure the backend for a different state data instance.

    • @Max-cq6hl
      @Max-cq6hl 8 месяцев назад

      @@NedintheCloud Thanks!

  • @KenWMacLeod
    @KenWMacLeod 7 месяцев назад +2

    We use an artifact and per-env tfvars. Our source code tree is identical for all environments, with separate tfvars with the different env configuration. Our CI in dev creates a new artifact after each merge to main and the code automatically applied in dev (CD). Once approved for staging, the artifact is copied to the staging binary artifact repo and the terraform applied in staging using the staging.tfvars. Same pattern when promoted to production using prod.tfvars. We chose this method because all of our other components use the same binary artifact promotion procedure to copy artifacts from dev to stage to production. We have per-env separate state.
    We also share modules between applications using the same artifact tooling for each module. Modules can be pinned per application as needed.

  • @neilmcalister1310
    @neilmcalister1310 Год назад +3

    Using an Azure Storage Account for a backend - I have...
    1 - A different Storage Account for each ENV
    2 - Use the same TF code and modules for all ENVs
    3 - Use TFVARS files for each ENV
    4 - Submit changes to a repo that triggers a CI/CD pipeline that does a PLAN for each ENV
    5 - Have a approve/deny CI/CD pipeline stage to APPLY
    No one user can access the backend Storage Account for any ENV - only the Azure Service Connection/Principal the pipeline runs as can access the backend
    The only issue I have is, as the video highlights, when your PRD ENV is mixed quite differently from the others - e.g. load balancers and resources where they just aren't used in the other ENVs. It's a constant churn to work out shared code and modules to adapt to all of this

    • @NedintheCloud
      @NedintheCloud  Год назад +1

      Thanks for sharing Neil! This is exactly the type of setup I've used in the past. And yeah, Prod can be a real beast!

  • @Amit-of2cq
    @Amit-of2cq Год назад +2

    On AWS with s3 backend, each workspace creates a separate folders based on the key provided in the provider block, inside one bucket.

    • @divyamsharma5198
      @divyamsharma5198 4 месяца назад

      But again as he mentioned, the bucket access policy concerns remain the same.

    • @eduardogomero2709
      @eduardogomero2709 Месяц назад

      @@divyamsharma5198but cant you just limit accees to a bucket specific resource ?

  • @Liam.Stevens
    @Liam.Stevens Год назад +1

    Can you link/reference the part where Terraform state workspaces are not ideal for production?
    Also, does the same apply to Workspaces when using Terraform Cloud? I have previously used multiple branches with multiple workspaces - each branch linked to a particular workspace so all merged PRs for that branch automatically open a plan for that workspace on TF cloud.

    • @NedintheCloud
      @NedintheCloud  Год назад +2

      Here's the doc that I was referencing: developer.hashicorp.com/terraform/language/state/workspaces#using-workspaces
      Workspaces in Terraform Cloud are a totally different beast despite having the same name. They include access control, separate variable values, and linking to specific repo tags or branches.

  • @RodneyMcKee
    @RodneyMcKee Год назад +7

    Hope your going to cover those other options in a future video. This was great content.

    • @NedintheCloud
      @NedintheCloud  Год назад +2

      Happy to! I think I'd like to take a look at using GitHub Actions and Environments to handle separation of duties and state.

    • @guyyefet5804
      @guyyefet5804 Год назад

      @@NedintheCloud please do!!!

    • @JesseChurchill-b2v
      @JesseChurchill-b2v Год назад

      Incredible video, and I concur with this. I have watched the env0 video but I wonder about the other options.

  • @ronaldonazo6961
    @ronaldonazo6961 Год назад +3

    Also not forget that in test you will use a shared RDS for cost optimization ,and on prod you will have your own RDS , do that with workspaces xD!

  • @runtcpip-morganlucas
    @runtcpip-morganlucas Год назад

    Drift and workspaces really threw me for a loop with my first Terraform file. That's a lesson you only learn once, but I don't find myself paying much attention to workspaces anymore.

  • @haythamsalhi3876
    @haythamsalhi3876 Год назад

    Agreed. We would like to know about whether TFC workspaces can resolve those issues in Terraform OSS workspaces? And can we achieve the DRY principle using TFC?

    • @NedintheCloud
      @NedintheCloud  Год назад +1

      You can absolutely use TFC workspaces to resolve many of the issues. I'll detail that process in a future video.

  • @ChristopherKMEtou
    @ChristopherKMEtou Год назад +3

    I simply keep my various environments in separate backend storages.

  • @RobertLachner
    @RobertLachner Год назад +1

    nice video but video and audio are out of sync wich drives me crazy

  • @IoanaAndone
    @IoanaAndone 3 месяца назад +1

    Disagree.
    Have tried all ways and:
    - writing the configuration in a way that can be customised between environments +
    - splitting resources between workspaces with separate management
    is the Best implementation we have seen.
    Otherwise, you're basically assuming that:
    - people will perfectly maintain all the different code versions; they won't - leading to having wildly different dependencies and resources managed in each environment
    - people will want or have the inclination to write rego rules for each environment separately
    - there is no benefit to be gained by dev fully or mostly emulating prod for continuous integration and staging type testing purposes (or that your use case won't require it)
    - running your whopper of a plan/apply (that you will likely evolve towards) won't exceed time limit and the number of resources won't kill the underlying engine
    ... and you're encouraging everyone to push to the same default workspace, meaning that now all teams have to review ALL possible changes... which is a nightmare when you're just updating a small part of the system as part of a routine change and have to unpick all the previous discarded/buffered plans and failed applies or drift realignments.
    From the pov of a company with literally hundreds of AWS accounts, countless repositories applying across accounts, areas and teams, it is SUPREMELY impractical. Workspaces are the way forward. Just pray your TF Cloud provider doesn't charge by them!

    • @NedintheCloud
      @NedintheCloud  3 месяца назад

      Thanks for the feedback! I def think that workspaces in TF Cloud or a similar implementation in other TACOS makes a lot of sense. My quibble is with workspaces in the Terraform Community addition.

    • @IoanaAndone
      @IoanaAndone 2 месяца назад

      @@NedintheCloud Got you :)

  • @bled_2033
    @bled_2033 Год назад +1

    Really well explained!