I have been using Terraform over the last few months, having not used it in anger for quite a while since the projects I have been working on have been more suitable for using Ansible .
However, as I am doing more and more with Microsoft Azure, I found the Ansible modules a little lacking, plus for someone of the projects I have had to use an orchestration tool which can natively run on Windows.
Doing a little reading, I decided that I should be using modules so that i didn’t have to repeat lots of code. While this approach has mostly worked the current version of Terraform, 0.11.x, does have a few annoyances.
For example, in Azure, you have to create a resource group and then place resources you are launching in the group you have configured. Great I thought to myself I will just create a module which generates the resource group and then use an output to reference the resource group later in my plan.
The code for the module looked something like the following;
resource "azurerm_resource_group" "resource_group" { name = "${var.resource_group_name}" location = "${var.location}" tags = "${var.tags}"}variable "name" { description = "The name of the resource group we want to use" default = ""}variable "location" { description = "The location/region where we are crrating the resource" default = ""}variable "tags" { description = "The tags to associate the resource we are creating" type = "map" default = {}}output "rg_name" { description = "The name of the newly created resource group" value = "${azurerm_resource_group.resource_group.name}"}
I was hoping that this meant that my main.tf could look like;
module "application-rg" { source = "modules/vnet" name = "${var.resource_group_name}" location = "${var.location}" tags = "${merge(var.default_tags, map("type","resource"))}"}module "application-vnet" { source = "modules/vnet" resource_group_name = "${module.application-rg.rg_name}" location = "${var.location}" tags = "${merge(var.default_tags, map("type","network"))}" vnet_name = "${module.application-rg.rg_name}-vnet" address_space = "10.10.0.0/16"}
While it worked, it did error a lot of the time from a standing start, this was because by Terraform was trying to create the vNet before the Resource Group had been created.
No problem I thought to myself — I remembered from the last time I used Terraform that there are resource dependencies in the form of . However, after much reading, I discovered that depends_on isn’t yet supported for modules — it is on the road map though.
Because of this I had to rejig my main.tf file to look like the following;
resource "azurerm_resource_group" "resource_group" { name = "${var.resource_group_name}" location = "${var.location}" tags = "${merge(var.default_tags, map("type","resource"))}"}module "application-vnet" { source = "modules/vnet" resource_group_name = "${azurerm_resource_group.resource_group.name}" location = "${var.location}" tags = "${merge(var.default_tags, map("type","network"))}" vnet_name = "${azurerm_resource_group.resource_group.name}-vnet" address_space = "10.10.0.0/16"}
This was not the end of the world, but as the documentation was pushing me down the module route, it was annoying.
The next lot of problem I had was with trying to use count with lists which had either been dynamically generated from another module or where hard coded. After much searching StackOverflow and GitHub issues I found workarounds for most of my issues, such as the following (which has been abridged);
resource "azurerm_network_security_group" "nsg" { resource_group_name = "${var.resource_group_name}" location = "${var.location}" tags = "${var.tags}" name = "${var.name}"}locals { rules_locked_down_no = "${length(var.rules_locked_down)}" rules_groups_no = "${length(var.rules_groups)}" rules_open_no = "${length(var.rules_open)}"}resource "azurerm_network_security_rule" "rules_locked_down" { count = "${local.rules_locked_down_no != 0 ? length(var.rules_locked_down) : 0}" name = "${lookup(var.rules_locked_down[count.index], "name", "default_rule_name")}" priority = "${lookup(var.rules_locked_down[count.index], "priority")}" direction = "${lookup(var.rules_locked_down[count.index], "direction", "Any")}" resource_group_name = "${var.resource_group_name}" network_security_group_name = "${azurerm_network_security_group.nsg.name}"}resource "azurerm_network_security_rule" "rules_open" { count = "${local.rules_open_no != 0 ? length(var.rules_open) : 0}" name = "${lookup(var.rules_open[count.index], "name", "default_rule_name")}" priority = "${lookup(var.rules_open[count.index], "priority")}" direction = "${lookup(var.rules_open[count.index], "direction", "Any")}" resource_group_name = "${var.resource_group_name}" network_security_group_name = "${azurerm_network_security_group.nsg.name}"}resource "azurerm_network_security_rule" "rules_groups" { count = "${local.rules_groups_no != 0 ? length(var.rules_groups) : 0}" name = "${lookup(var.rules_groups[count.index], "name", "default_rule_name")}" priority = "${lookup(var.rules_groups[count.index], "priority")}" direction = "${lookup(var.rules_groups[count.index], "direction", "Any")}" access = "${lookup(var.rules_groups[count.index], "access", "Allow")}" resource_group_name = "${var.resource_group_name}" network_security_group_name = "${azurerm_network_security_group.nsg.name}"}
Here I had to use the locals to count the number of items in the list I was passing through so that it could be then be used by count.
This is something I would have expected to have worked when I first wrote the module as the syntax made sense, however, when I ran the original code this was pretty much the face I pulled when all I got was a message saying that the “count cannot be computed.”;
See this GitHub issue for more detail on why it didn’t work and what changes have been made in Terraform to fix it.
Most of the problems I came across while I have been revisiting Terraform appear to be either being fixed or having the ground-work laid for a fix in Terraform 0.12 which should be released very soon.
Until it is, I will be waiting — thinking about all of the work arounds I will have to undo.
For more information on Terraform 0.12 the following video is a good place to start;
Or the following blog posts from Hashicorp which go to make up a preview of Terraform 0.12 ;
Update 16/02/2019
it is an interesting insight into what is going to behind the scenes to get this release out of the gate.