Terraform in Depth you own this product

Infrastructure as Code with Terraform and OpenTofu

Robert Hafner
Forewords by Anton Babenko and Christian Mesh

February 2025
ISBN 9781633438002
504 pages

Included with a Manning Online subscription

printed in black & white

available in Simplified Chinese

catalog / DevOps / Infrastructure as Code

table of content

Part 1. Getting started with Terraform

1 A brief overview of Terraform

1.1 Infrastructure as code

1.1.1 Software development practices with IaC

1.1.2 Repeatability and shareability

1.1.3 Continuous integration and deployment

1.2 Terraform overview

1.2.1 Terraform language

1.2.2 Terraform CLI and core

1.2.3 Providers

1.2.4 Vendors

1.2.5 Backends

1.2.6 Workspaces

1.3 Declarative languages

1.3.1 Declarative vs. imperative languages

1.3.2 Dependency resolution

1.3.3 Pitfalls of declarative languages

1.4 Terraform deployment flow

1.4.1 Change desired

1.4.2 Init

1.4.3 Plan

1.4.4 Apply

1.5 What are people using this for?

1.5.1 Machine learning training

1.5.2 API and web services

1.5.3 Single sign-on authentication structure

1.5.4 Rapid prototyping

1.6 Terraform and OpenTofu

1.6.1 HashiCorp’s history with open source

1.6.2 HashiCorp license changes

1.6.3 Community reactions

1.6.4 OpenTofu fork

1.6.5 OpenTofu and Terraform compatibility

1.6.6 Using OpenTofu

Summary

2 Terraform HCL components

2.1 Hello World

2.1.1 Research and design

2.1.2 Creating the project

2.1.3 Setup providers

2.1.4 Getting our configuration values

2.1.5 Creating an instance

2.1.6 Running Terraform

2.2 Block syntax

2.2.1 Block types

2.2.2 Labels and subtypes

2.2.3 Arguments and subblocks

2.2.4 Attributes

2.2.5 Ordering

2.2.6 Style

2.3 Terraform settings

2.3.1 Backend and cloud blocks

2.3.2 Experiments

2.4 Providers

2.4.1 Provider registry

2.4.2 Required providers

2.4.3 Provider configuration

2.4.4 Provider aliases

2.5 Resources

2.5.1 Resource usage

2.6 Data sources

2.7 Meta arguments

2.7.1 Providers

2.7.2 Lifecycle

2.7.3 Explicit dependencies

2.8 Modules

2.9 Import, moved, and removed

Summary

3 Terraform variables and modules

3.1 Modules

3.1.1 Module usage

3.1.2 Module file structure

3.1.3 Root module

3.1.4 Submodules

3.1.5 Module registries

3.2 Input, output, and local variables

3.3 Input variables

3.3.1 Defining and using inputs

3.3.2 Marking variables as sensitive

3.3.3 Using types for robust code

3.4 Outputs

3.4.1 Defining and using outputs

3.4.2 Sensitive outputs

3.4.3 Output dependencies

3.5 Locals

3.5.1 Defining and using locals

3.6 Value types

3.6.1 Strings

3.6.2 Numbers

3.6.3 Booleans

3.6.4 Lists

3.6.5 Sets

3.6.6 Tuples

3.6.7 Objects

3.6.8 Maps

3.6.9 Null

3.6.10 Any

3.7 Validating inputs

3.8 A reusable instance module

3.8.1 Refactoring into a module

3.8.2 Using input variables to customize behavior

3.8.3 Adding output variables to encourage reuse

3.8.4 Testing our changes

3.8.5 Publishing

Summary

4 Expressions and iterations

4.1 Expanding our module

4.1.1 Research

4.1.2 Adding a name and tags

4.1.3 Allowing multiple instances

4.1.4 Creating a role

4.1.5 Enabling the session manager

4.1.6 Reviewing our work

4.2 Operators and conditionals

4.2.1 Math

4.2.2 Comparison

4.2.3 Boolean operators

4.2.4 Conditional (Terraform’s ternary operator)

4.2.5 Order

4.3 Functions

4.3.1 Calling and using functions

4.3.2 The standard library

4.3.3 Pure vs. impure functions

4.4 Strings and templates

4.4.1 The file function

4.4.2 The templatefile function

4.4.3 String template language

4.4.4 The template_file resource

4.4.5 When not to use templates

4.5 Regular expressions

4.5.1 Regex

4.5.2 Regexall

4.5.3 Replace

4.6 Type conversion

4.6.1 Implicit type conversion

4.6.2 The toType functions

4.6.3 Sensitive and nonsensitive

4.7 Try and can

4.8 count and for_each

4.8.1 count

4.8.2 for_each

4.8.3 Accessing attributes

4.8.4 Limitations and workarounds

4.9 For

4.9.1 List and object inputs

4.9.2 List and object outputs

4.9.3 Filtering

4.9.4 Grouping mode

4.9.5 Splat

4.10 Dynamic blocks

Summary

5 The Terraform plan

5.1 Directed acyclic graphs

5.1.1 DAGs

5.1.2 A Transport Layer Security example

5.2 The Terraform resource graph

5.2.1 Nodes

5.2.2 terraform graph command

5.2.3 Modules in the graph

5.3 Plan

5.3.1 Planning modes

5.3.2 Replace (previously known as taint)

5.3.3 Resource targeting

5.3.4 Disabling refresh

5.3.5 terraform refresh command

5.3.6 Reviewing plan files with terraform show

5.4 Root-level module input variables

5.4.1 Interactive

5.4.2 Variable flag

5.4.3 Variable files

5.4.4 Environment variables

5.4.5 Input precedence

5.4.6 A note on secrets and inputs

5.5 Apply

5.5.1 Plan and apply in a single command

5.5.2 Using a plan file

5.5.3 Destroy

5.6 Apply and plan options

5.6.1 Parallelism

5.6.2 Locking

5.6.3 JSON

5.6.4 Formatting flags

5.7 Common pitfalls and errors

5.7.1 Circular dependencies

5.7.2 Cascading changes

5.7.3 Hidden dependencies

5.7.4 Always detected changes

5.7.5 Calculated values and iterations

5.7.6 Failed state updates

Summary

Part 2. Terraform in production

6 State management

6.1 Purpose of state

6.1.1 Real-world linkage

6.1.2 Reduced complexity

6.1.3 Performance

6.1.4 State-only resources

6.2 Important considerations

6.2.1 Resiliency

6.2.2 Security

6.2.3 Availability

6.3 Dissecting state

6.3.1 State as JSON

6.3.2 State versions

6.3.3 Lineage and serial

6.3.4 Resources, outputs, and checks

6.4 Storing state

6.4.1 Possible backends

6.4.2 Configuring the backend Itself

6.4.3 Backend block

6.4.4 Alternative authentication methods

6.4.5 Cloud block

6.4.6 Migrating backends

6.4.7 Workspaces

6.4.8 Upgrading backends

6.5 Manipulating state

6.5.1 Backup and restore

6.5.2 Code-driven changes

6.5.3 CLI-driven changes

6.5.4 Manually editing

6.6 State drift

6.6.1 Accidental manual changes

6.6.2 Intentional manual changes

6.6.3 Conflicting automated changes

6.6.4 Terraform errors

6.7 Accessing state across projects

6.7.1 terraform_remote_state

6.7.2 Structuring for remote state

6.7.3 Alternatives to terraform_remote_state

6.8 State-only resources

6.8.1 Random provider

6.8.2 Time provider

6.8.3 Null provider

6.8.4 terraform_data

Summary

7 Code quality and continuous integration

7.1 Continuous integration practices

7.1.1 SCM

7.1.2 Branching and PRs

7.1.3 Code reviews

7.2 Local development

7.2.1 Standardizing and bootstrapping with software templates

7.2.2 Repeatable tasks with makefiles

7.2.3 Installing applications with makefiles

7.2.4 Terraform and OpenTofu

7.2.5 Terraform and OpenTofu versions

7.2.6 Pre-commit hooks

7.3 Tools for maintaining quality

7.3.1 terraform validate

7.3.2 Terratest and Terraform testing

7.3.3 TFlint

7.4 Validating security

7.4.1 Checkov

7.4.2 Trivy (formally TFSec)

7.4.3 Snyk, Checkmarx, and Mend

7.5 Custom policy enforcement

7.5.1 OPA with TFLint

7.5.2 Custom Checkov rules

7.6 Automating chores

7.6.1 terraform-docs

7.6.2 terraform fmt

7.6.3 tflint autofix

7.7 Enforcing quality with CI systems

7.7.1 Selecting a CI system

7.7.2 Building the basic workflows

7.7.3 Validating both OpenTofu and Terraform

7.7.4 Branch protection and required pipelines

7.7.5 Automated updates with Dependabot

Summary

8 Continuous delivery and deployment

8.1 Delivering modules

8.1.1 Semantic versioning and constraints

8.1.2 SCM-based module delivery

8.1.3 Public software registries

8.1.4 Private registries

8.1.5 Artifactory

8.2 Deploying infrastructure

8.2.1 What is a deployment?

8.2.2 Environments

8.2.3 CD

8.2.4 Deployment requirements and limitations

8.3 GitOps

8.3.1 GitOps development workflows

8.3.2 Continuous reconciliation

8.3.3 GitOps and CD platforms

8.4 Project structures

8.4.1 Application as root module

8.4.2 Environment as root module

8.4.3 Terragrunt

8.5 Managing secrets

8.5.1 OpenID Connect

8.5.2 Secret managers

8.5.3 Orchestrator Settings

8.6 CD platform features

8.6.1 Common features

8.6.2 Terraform vs. OpenTofu

8.6.3 State management and private registry

8.6.4 Drift detection and correction

8.6.5 IaC frameworks

8.6.6 Policy enforcement

8.6.7 Infrastructure cost estimates

8.7 CD platform overview

8.7.1 HCP Terraform

8.7.2 Env0 and Spacelift

8.7.3 Scalr

8.7.4 Digger and Terrateam

8.7.5 Harness and Octopus Deploy

8.7.6 Atlantis and Terrakube

Summary

9 Testing and refactoring

9.1 The theory of IaC testing

9.1.1 What to test (and what not to test)

9.1.2 How IaC testing differs from software testing

9.1.3 Terraform testing frameworks

9.1.4 Unit testing vs. integration testing

9.2 Testing IaC in practice

9.2.1 Simple testing flow

9.2.2 Starting with examples

9.2.3 Concurrency and automated testing

9.2.4 Timeouts

9.2.5 Automatic cleanup

9.2.6 Authentication and secrets

9.2.7 Testing as code

9.3 Terratest

9.3.1 Getting started with Go

9.3.2 Terratest Hello World

9.3.3 Building on examples

9.3.4 Terratest helpers

9.3.5 Updating our makefile and template

9.3.6 Testing with CI

9.3.7 Terratest and Copilot

9.4 Terraform testing framework

9.4.1 Hello World

9.4.2 Accessing named values

9.4.3 Mocks

9.4.4 Building on examples

9.4.5 Managing versions

9.4.6 Testing with CI

9.4.7 Terraform testing framework and Copilot

9.5 Refactoring

9.5.1 Refactoring vs. development

9.5.2 Internal vs. external refactoring

9.5.3 Reorganizing your project

9.5.4 Renaming resources and modules

9.5.5 Renaming variables

9.6 External refactoring

9.6.1 When to break compatibility

9.6.2 Planning your next major version

9.6.3 Building your next major version

9.6.4 Maintaining your previous major version

Summary

Part 3. Advanced Terraform topics

10 Advanced Terraform topics

10.1 Names and domains

10.1.1 Naming considerations

10.1.2 Hierarchical naming schemes

10.1.3 Domains

10.2 Network management

10.2.1 Subnetting with Classless Inter-Domain Routing

10.2.2 Common topologies

10.2.3 Location module

10.2.4 High-level module

10.3 Provisioners

10.3.1 Connections

10.3.2 Command provisioners

10.3.3 File provisioners

10.3.4 Provisioner control

10.3.5 terraform_data

10.3.6 Alternatives to using provisioners

10.4 External provider

10.4.1 External datasource

10.4.2 Wrapper program languages

10.4.3 Writing wrapper programs

10.4.4 Alternatives to external providers

10.5 Local provider

10.5.1 Functions

10.5.2 Data sources

10.5.3 Resources

10.6 Checks and conditions

10.6.1 Preconditions and postconditions

10.6.2 Checks

10.7 OpenTofu and Terraform compatibility

10.7.1 Tofu files

10.8 When Terraform isn’t appropriate

10.8.1 Kubernetes

10.8.2 Container image building

10.8.3 Machine image building

10.8.4 Artifact management

Summary

11 Alternative interfaces

11.1 Wrapping Terraform

11.1.1 JSON output and machine-readable UI

11.1.2 Initial Terraform client

11.1.3 Init

11.1.4 A detour into testing

11.1.5 Validating

11.1.6 State

11.1.7 Apply

11.1.8 Plan

11.1.9 Output

11.1.10 Using our library

11.2 Using JSON instead of HCL

11.2.1 JSON structure

11.2.2 Expressions and keywords

11.2.3 Comments

11.3 Cloud Development Kit for Terraform

11.3.1 Should I use CDKTF?

11.3.2 CDKTF setup

11.3.3 Apps, stacks, and resources

11.3.4 CDKTF usage

Summary

12 Terraform providers

12.1 Design

12.2 Developer environment

12.2.1 Template

12.2.2 Developer overrides

12.3 Terraform Plugin Framework features

12.3.1 Schemas

12.3.2 Error handling and logging

12.3.3 Testing

12.4 Provider interface

12.4.1 Template cleanup

12.4.2 Provider model and schema

12.4.3 Provider configuration

12.4.4 Provider testing

12.5 Data source

12.5.1 Data source schema

12.5.2 Configure

12.5.3 Read

12.5.4 Registration

12.5.5 Usage

12.5.6 Testing

12.6 Resources

12.6.1 Resource schema

12.6.2 Resource configure

12.6.3 Resource create

12.6.4 Resource read

12.6.5 Resource update

12.6.6 Resource delete

12.6.7 Registration

12.6.8 Testing

12.7 Functions

12.7.1 Function definition

12.7.2 Function run

12.7.3 Registration

12.7.4 Testing

12.8 Publishing

12.8.1 Updating documentation

12.8.2 Creating a GPG key

12.8.3 Registering the provider

12.8.4 Creating a release

Summary

Overview

1 A brief overview of Terraform

Infrastructure as Code transforms infrastructure work into repeatable, shareable software, and Terraform has become the de facto standard for doing so across vendors. The chapter opens with a hands-on story of moving from slow, manual cloud setup to defining a VPC once and reusing it reliably, highlighting gains in speed, quality, and accessibility for teams. Treating infrastructure like software unlocks version control, code reviews, automated tests, and CI/CD, while modules promote reuse and continual improvement. The result is reproducible environments, faster iteration, and a culture shift where developers can self-serve complex platforms with confidence.

Terraform’s power comes from clear separation of concerns and a declarative model. Developers describe the desired end state in HCL, and Terraform builds a dependency graph to plan and execute the required actions. Providers abstract vendor APIs, the CLI/Core executes plans, state is managed via backends, and workspaces represent individual deployments with their own configuration and state. The deployment workflow follows a predictable rhythm—write a change, initialize dependencies, generate and review a plan, then apply it—while concurrency accelerates real-world provisioning. Declarative dependency resolution simplifies ordering across complex stacks, though circular dependencies remain a common pitfall to avoid or work around.

These foundations enable a wide range of use cases, from spinning up machine learning training clusters to scalable web services and complex SSO configurations, all benefiting from modular design and repeatability. The chapter also explains the 2023 license change for Terraform and the community-driven fork, OpenTofu, which keeps an open-source path forward. OpenTofu is largely a drop-in replacement, maintaining compatibility while adding long-requested features, though release timing and feature availability can differ. Throughout the book, examples are designed to work with both Terraform and OpenTofu so readers can adopt the workflows, practices, and tooling that best fit their teams and constraints.

Terraform has multiple levels of abstraction that allow developers to get things done without worrying about vendor-specific minutiae.

Vendor Abstraction in Terraform using Providers

A diagram showing the relationship between the components in a Web Application.

An example of a circular dependency in which resources are dependent on one another.

The Terraform Development Flow

A Graph of the Terraform Plan. This graph was directly generated by Terraform using the terraform graph command.

An example machine learning training cluster.

Components that are common when deploying web services.

Single Sign-On System Resources

Terraform and OpenTofu forking development.

Summary

Infrastructure as Code allows Software Development best practices to be applied to infrastructure.
Declarative Languages focus on what the end results should look like and allow the underlying engine to figure out how to get there.
Terraform is built on top of the HashiCorp Configuration Language (HCL).
Terraform Plans are Directed Acyclic Graphs, which means that actions are done in a specific order and that circular dependencies are not allowed.
Terraform has a generic workflow- Init, Plan, Apply- that developers will use when deploying changes.
Terraform Init is where Terraform downloads any needed providers or modules.
Terraform Plan is where Terraform compares the resources in the workspace with the desired set of resources and configuration in the code to create a plan for aligning the two.
During the Terraform Apply phase, Terraform runs the actions from the plan.
HashiCorp is no longer releasing Terraform under an open source license, which has resulted in a new open source fork named OpenTofu being created.
OpenTofu and Terraform are mostly interchangeable, and the differences between them will be called out in this book.

FAQ

What is Infrastructure as Code (IaC), and how does Terraform fit into it?

Infrastructure as Code lets you define and provision infrastructure using code and software engineering practices (version control, reviews, tests, CI/CD). Terraform is a vendor-agnostic IaC tool that uses a simple, declarative language (HCL) to describe the desired end state and then creates, updates, or destroys resources to match it. Its maturity and broad ecosystem have made it a de facto standard.

Why choose Terraform over vendor-specific or other IaC tools?

Terraform is vendor-agnostic, so the same workflow and language work across thousands of providers (AWS, GCP, Azure, DNS, SaaS tools, even “fun” ones like pizza delivery). Compared to vendor-specific tools (e.g., CloudFormation), Terraform’s HCL is designed for readability and ease of use, and Terraform’s ecosystem is very broad and mature.

How do Providers, the Terraform CLI/Core, and vendor APIs work together?

Terraform Core (in the CLI) reads your HCL and builds an execution plan. Providers are plugins (typically written in Go, communicating via gRPC) that translate Terraform’s requests into vendor-specific API calls and return results back to Core. This abstraction lets vendors and the community evolve providers independently of Terraform itself.

What are State, Backends, and Workspaces in Terraform?

State is Terraform’s metadata about the resources it manages. A Backend defines where that state lives (local filesystem by default, or remote stores like S3, GCS, etc.), enabling team collaboration. A Workspace represents one deployment of a codebase with its own state and configuration—think “a saved file” in a “filesystem” (backend) analogy.

What is HCL and why does Terraform use a declarative language?

HCL (HashiCorp Configuration Language) is human-readable and declarative: you describe the desired end state, not step-by-step instructions. Terraform then figures out the actions needed to reach that state. This improves readability, maintainability, and enables safe evolution without hand-written migration logic.

How does Terraform resolve dependencies, and what are the pitfalls?

Terraform builds a Directed Acyclic Graph (DAG) of actions by analyzing references between resources (e.g., app uses DB outputs, so DB comes first). It can parallelize independent steps and enforce order where needed. A core pitfall is circular dependencies—cycles in the graph prevent Terraform from proceeding and usually require design changes or manual workarounds.

What are the key phases of the Terraform workflow (init, plan, apply)?

Init downloads providers/modules and initializes the backend. Plan refreshes real resource state, compares it to your code, and produces a DAG of create/update/destroy actions. Apply executes that plan in the required order. Plans can be reviewed, stored, and used for gated approvals before apply.

How does Terraform integrate with CI/CD, and what are TACOS?

Terraform code fits naturally into Git-based workflows with formatting, linting, tests, and automated plans/applies. TACOS (Terraform Automation & Collaboration Software) platforms—like HCP Terraform/Terraform Enterprise, Spacelift, and Scalr—integrate with GitHub/GitLab for speculative plans, policy checks, module registries, and controlled deployments. General CI tools (GitHub Actions, CircleCI, Jenkins) often complement these.

What real-world use cases does the chapter highlight?

- Machine learning training clusters: rapidly spin up/down complex GPU clusters with networking, storage, permissions, and autoscaling. - Web/API platforms: reusable modules for load balancers, compute, SSL, DNS, caches, and databases. - SSO/identity management: codify users, groups, apps, and policies for auditability and safer change control. - Rapid prototyping: developers reuse battle-tested modules to experiment quickly without infrastructure overhead.

What is OpenTofu, why was it created, and is it compatible with Terraform?

After HashiCorp moved Terraform to the Business Source License (BSL) in 2023, the community created OpenTofu as an open-source fork under the Linux Foundation. OpenTofu aims for compatibility with Terraform code and is adding long-requested features, effectively becoming a superset in some areas. Most examples work with both, though OpenTofu may lag slightly behind Terraform on brand-new features, and using OpenTofu-only features can complicate moving back. Many package managers now favor OpenTofu for open-source availability.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$47.99 $35.99

you save $12.00 (25%)

include audio $24.99 $18.74

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$47.99 $35.99

you save $12.00 (25%)

include audio $24.99 $18.74

eBook

pdf, ePub, online

$47.99 $35.99

you save $12.00 (25%)

include audio $24.99 $18.74

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more