I've invested a lot of time into using Terraform, and I'm starting to feel that thinking of it purely as code might not be the best way to teach it. When we call it 'code', it implies that what's written is the entire truth, when the reality is the state file holds the key. I've encountered situations where teams believed their security groups were locked down based on their HCL, but they had several old resources that were never imported into the state file. Consequently, Terraform ignored these resources, leaving the environment vulnerable. We're often telling new users that if it's in Git, it's real; however, the truth is, if it's in the state file, it's managed. So, I'm curious: Does anyone else enforce refresh-only plans in their workflows to catch these types of issues? Or do you accept that ghost resources are something we just have to deal with?
5 Answers
You bring up a valid point about how Terraform's state management can be misleading. There are two types of state: desired and actual. The desired state exists in Git, but the actual state is determined by your reconciliation processes, which can lead to discrepancies when the state file isn't regularly refreshed.
Totally get what you mean! It’s not just an issue of code versus reality; it's also how we manage permissions. Having all changes routed through Terraform is vital, and that means enforcing strict policies over who can make changes. If people need freedom to deploy changes, make sure that’s restricted to specific environments.
I can relate to your frustrations. Terraform is a complex tool, especially when you consider how it handles state. If a change happens outside of Terraform's awareness, like through automated processes or manual overrides, it can create significant drift.
Governance is key, but as you mentioned, even with strict protocols in place, things can still drift. We need to combine good organization with proactive drift detection to manage our environments effectively.
You're totally right! Terraform's biggest flaw is its lack of mechanisms for tracking resources not defined by it. It often just becomes messy when we mix managed resources with those created by other means, leading to complications down the line.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically