Terraform in Depth you own this product

Infrastructure as Code with Terraform and OpenTofu

Robert Hafner
Forewords by Anton Babenko and Christian Mesh

February 2025
ISBN 9781633438002
504 pages

Included with a Manning Online subscription

printed in black & white

available in Simplified Chinese

catalog / DevOps / Infrastructure as Code

resources: Source code Book forum Source code on GitHub Register your pBook for a free eBook

table of content

Part 1. Getting started with Terraform

1 A brief overview of Terraform

1.1 Infrastructure as code

1.1.1 Software development practices with IaC

1.1.2 Repeatability and shareability

1.1.3 Continuous integration and deployment

1.2 Terraform overview

1.2.1 Terraform language

1.2.2 Terraform CLI and core

1.2.3 Providers

1.2.4 Vendors

1.2.5 Backends

1.2.6 Workspaces

1.3 Declarative languages

1.3.1 Declarative vs. imperative languages

1.3.2 Dependency resolution

1.3.3 Pitfalls of declarative languages

1.4 Terraform deployment flow

1.4.1 Change desired

1.4.2 Init

1.4.3 Plan

1.4.4 Apply

1.5 What are people using this for?

1.5.1 Machine learning training

1.5.2 API and web services

1.5.3 Single sign-on authentication structure

1.5.4 Rapid prototyping

1.6 Terraform and OpenTofu

1.6.1 HashiCorp’s history with open source

1.6.2 HashiCorp license changes

1.6.3 Community reactions

1.6.4 OpenTofu fork

1.6.5 OpenTofu and Terraform compatibility

1.6.6 Using OpenTofu

Summary

2 Terraform HCL components

2.1 Hello World

2.1.1 Research and design

2.1.2 Creating the project

2.1.3 Setup providers

2.1.4 Getting our configuration values

2.1.5 Creating an instance

2.1.6 Running Terraform

2.2 Block syntax

2.2.1 Block types

2.2.2 Labels and subtypes

2.2.3 Arguments and subblocks

2.2.4 Attributes

2.2.5 Ordering

2.2.6 Style

2.3 Terraform settings

2.3.1 Backend and cloud blocks

2.3.2 Experiments

2.4 Providers

2.4.1 Provider registry

2.4.2 Required providers

2.4.3 Provider configuration

2.4.4 Provider aliases

2.5 Resources

2.5.1 Resource usage

2.6 Data sources

2.7 Meta arguments

2.7.1 Providers

2.7.2 Lifecycle

2.7.3 Explicit dependencies

2.8 Modules

2.9 Import, moved, and removed

Summary

3 Terraform variables and modules

3.1 Modules

3.1.1 Module usage

3.1.2 Module file structure

3.1.3 Root module

3.1.4 Submodules

3.1.5 Module registries

3.2 Input, output, and local variables

3.3 Input variables

3.3.1 Defining and using inputs

3.3.2 Marking variables as sensitive

3.3.3 Using types for robust code

3.4 Outputs

3.4.1 Defining and using outputs

3.4.2 Sensitive outputs

3.4.3 Output dependencies

3.5 Locals

3.5.1 Defining and using locals

3.6 Value types

3.6.1 Strings

3.6.2 Numbers

3.6.3 Booleans

3.6.4 Lists

3.6.5 Sets

3.6.6 Tuples

3.6.7 Objects

3.6.8 Maps

3.6.9 Null

3.6.10 Any

3.7 Validating inputs

3.8 A reusable instance module

3.8.1 Refactoring into a module

3.8.2 Using input variables to customize behavior

3.8.3 Adding output variables to encourage reuse

3.8.4 Testing our changes

3.8.5 Publishing

Summary

4 Expressions and iterations

4.1 Expanding our module

4.1.1 Research

4.1.2 Adding a name and tags

4.1.3 Allowing multiple instances

4.1.4 Creating a role

4.1.5 Enabling the session manager

4.1.6 Reviewing our work

4.2 Operators and conditionals

4.2.1 Math

4.2.2 Comparison

4.2.3 Boolean operators

4.2.4 Conditional (Terraform’s ternary operator)

4.2.5 Order

4.3 Functions

4.3.1 Calling and using functions

4.3.2 The standard library

4.3.3 Pure vs. impure functions

4.4 Strings and templates

4.4.1 The file function

4.4.2 The templatefile function

4.4.3 String template language

4.4.4 The template_file resource

4.4.5 When not to use templates

4.5 Regular expressions

4.5.1 Regex

4.5.2 Regexall

4.5.3 Replace

4.6 Type conversion

4.6.1 Implicit type conversion

4.6.2 The toType functions

4.6.3 Sensitive and nonsensitive

4.7 Try and can

4.8 count and for_each

4.8.1 count

4.8.2 for_each

4.8.3 Accessing attributes

4.8.4 Limitations and workarounds

4.9 For

4.9.1 List and object inputs

4.9.2 List and object outputs

4.9.3 Filtering

4.9.4 Grouping mode

4.9.5 Splat

4.10 Dynamic blocks

Summary

5 The Terraform plan

5.1 Directed acyclic graphs

5.1.1 DAGs

5.1.2 A Transport Layer Security example

5.2 The Terraform resource graph

5.2.1 Nodes

5.2.2 terraform graph command

5.2.3 Modules in the graph

5.3 Plan

5.3.1 Planning modes

5.3.2 Replace (previously known as taint)

5.3.3 Resource targeting

5.3.4 Disabling refresh

5.3.5 terraform refresh command

5.3.6 Reviewing plan files with terraform show

5.4 Root-level module input variables

5.4.1 Interactive

5.4.2 Variable flag

5.4.3 Variable files

5.4.4 Environment variables

5.4.5 Input precedence

5.4.6 A note on secrets and inputs

5.5 Apply

5.5.1 Plan and apply in a single command

5.5.2 Using a plan file

5.5.3 Destroy

5.6 Apply and plan options

5.6.1 Parallelism

5.6.2 Locking

5.6.3 JSON

5.6.4 Formatting flags

5.7 Common pitfalls and errors

5.7.1 Circular dependencies

5.7.2 Cascading changes

5.7.3 Hidden dependencies

5.7.4 Always detected changes

5.7.5 Calculated values and iterations

5.7.6 Failed state updates

Summary

Part 2. Terraform in production

6 State management

6.1 Purpose of state

6.1.1 Real-world linkage

6.1.2 Reduced complexity

6.1.3 Performance

6.1.4 State-only resources

6.2 Important considerations

6.2.1 Resiliency

6.2.2 Security

6.2.3 Availability

6.3 Dissecting state

6.3.1 State as JSON

6.3.2 State versions

6.3.3 Lineage and serial

6.3.4 Resources, outputs, and checks

6.4 Storing state

6.4.1 Possible backends

6.4.2 Configuring the backend Itself

6.4.3 Backend block

6.4.4 Alternative authentication methods

6.4.5 Cloud block

6.4.6 Migrating backends

6.4.7 Workspaces

6.4.8 Upgrading backends

6.5 Manipulating state

6.5.1 Backup and restore

6.5.2 Code-driven changes

6.5.3 CLI-driven changes

6.5.4 Manually editing

6.6 State drift

6.6.1 Accidental manual changes

6.6.2 Intentional manual changes

6.6.3 Conflicting automated changes

6.6.4 Terraform errors

6.7 Accessing state across projects

6.7.1 terraform_remote_state

6.7.2 Structuring for remote state

6.7.3 Alternatives to terraform_remote_state

6.8 State-only resources

6.8.1 Random provider

6.8.2 Time provider

6.8.3 Null provider

6.8.4 terraform_data

Summary

7 Code quality and continuous integration

7.1 Continuous integration practices

7.1.1 SCM

7.1.2 Branching and PRs

7.1.3 Code reviews

7.2 Local development

7.2.1 Standardizing and bootstrapping with software templates

7.2.2 Repeatable tasks with makefiles

7.2.3 Installing applications with makefiles

7.2.4 Terraform and OpenTofu

7.2.5 Terraform and OpenTofu versions

7.2.6 Pre-commit hooks

7.3 Tools for maintaining quality

7.3.1 terraform validate

7.3.2 Terratest and Terraform testing

7.3.3 TFlint

7.4 Validating security

7.4.1 Checkov

7.4.2 Trivy (formally TFSec)

7.4.3 Snyk, Checkmarx, and Mend

7.5 Custom policy enforcement

7.5.1 OPA with TFLint

7.5.2 Custom Checkov rules

7.6 Automating chores

7.6.1 terraform-docs

7.6.2 terraform fmt

7.6.3 tflint autofix

7.7 Enforcing quality with CI systems

7.7.1 Selecting a CI system

7.7.2 Building the basic workflows

7.7.3 Validating both OpenTofu and Terraform

7.7.4 Branch protection and required pipelines

7.7.5 Automated updates with Dependabot

Summary

8 Continuous delivery and deployment

8.1 Delivering modules

8.1.1 Semantic versioning and constraints

8.1.2 SCM-based module delivery

8.1.3 Public software registries

8.1.4 Private registries

8.1.5 Artifactory

8.2 Deploying infrastructure

8.2.1 What is a deployment?

8.2.2 Environments

8.2.3 CD

8.2.4 Deployment requirements and limitations

8.3 GitOps

8.3.1 GitOps development workflows

8.3.2 Continuous reconciliation

8.3.3 GitOps and CD platforms

8.4 Project structures

8.4.1 Application as root module

8.4.2 Environment as root module

8.4.3 Terragrunt

8.5 Managing secrets

8.5.1 OpenID Connect

8.5.2 Secret managers

8.5.3 Orchestrator Settings

8.6 CD platform features

8.6.1 Common features

8.6.2 Terraform vs. OpenTofu

8.6.3 State management and private registry

8.6.4 Drift detection and correction

8.6.5 IaC frameworks

8.6.6 Policy enforcement

8.6.7 Infrastructure cost estimates

8.7 CD platform overview

8.7.1 HCP Terraform

8.7.2 Env0 and Spacelift

8.7.3 Scalr

8.7.4 Digger and Terrateam

8.7.5 Harness and Octopus Deploy

8.7.6 Atlantis and Terrakube

Summary

9 Testing and refactoring

9.1 The theory of IaC testing

9.1.1 What to test (and what not to test)

9.1.2 How IaC testing differs from software testing

9.1.3 Terraform testing frameworks

9.1.4 Unit testing vs. integration testing

9.2 Testing IaC in practice

9.2.1 Simple testing flow

9.2.2 Starting with examples

9.2.3 Concurrency and automated testing

9.2.4 Timeouts

9.2.5 Automatic cleanup

9.2.6 Authentication and secrets

9.2.7 Testing as code

9.3 Terratest

9.3.1 Getting started with Go

9.3.2 Terratest Hello World

9.3.3 Building on examples

9.3.4 Terratest helpers

9.3.5 Updating our makefile and template

9.3.6 Testing with CI

9.3.7 Terratest and Copilot

9.4 Terraform testing framework

9.4.1 Hello World

9.4.2 Accessing named values

9.4.3 Mocks

9.4.4 Building on examples

9.4.5 Managing versions

9.4.6 Testing with CI

9.4.7 Terraform testing framework and Copilot

9.5 Refactoring

9.5.1 Refactoring vs. development

9.5.2 Internal vs. external refactoring

9.5.3 Reorganizing your project

9.5.4 Renaming resources and modules

9.5.5 Renaming variables

9.6 External refactoring

9.6.1 When to break compatibility

9.6.2 Planning your next major version

9.6.3 Building your next major version

9.6.4 Maintaining your previous major version

Summary

Part 3. Advanced Terraform topics

10 Advanced Terraform topics

10.1 Names and domains

10.1.1 Naming considerations

10.1.2 Hierarchical naming schemes

10.1.3 Domains

10.2 Network management

10.2.1 Subnetting with Classless Inter-Domain Routing

10.2.2 Common topologies

10.2.3 Location module

10.2.4 High-level module

10.3 Provisioners

10.3.1 Connections

10.3.2 Command provisioners

10.3.3 File provisioners

10.3.4 Provisioner control

10.3.5 terraform_data

10.3.6 Alternatives to using provisioners

10.4 External provider

10.4.1 External datasource

10.4.2 Wrapper program languages

10.4.3 Writing wrapper programs

10.4.4 Alternatives to external providers

10.5 Local provider

10.5.1 Functions

10.5.2 Data sources

10.5.3 Resources

10.6 Checks and conditions

10.6.1 Preconditions and postconditions

10.6.2 Checks

10.7 OpenTofu and Terraform compatibility

10.7.1 Tofu files

10.8 When Terraform isn’t appropriate

10.8.1 Kubernetes

10.8.2 Container image building

10.8.3 Machine image building

10.8.4 Artifact management

Summary

11 Alternative interfaces

11.1 Wrapping Terraform

11.1.1 JSON output and machine-readable UI

11.1.2 Initial Terraform client

11.1.3 Init

11.1.4 A detour into testing

11.1.5 Validating

11.1.6 State

11.1.7 Apply

11.1.8 Plan

11.1.9 Output

11.1.10 Using our library

11.2 Using JSON instead of HCL

11.2.1 JSON structure

11.2.2 Expressions and keywords

11.2.3 Comments

11.3 Cloud Development Kit for Terraform

11.3.1 Should I use CDKTF?

11.3.2 CDKTF setup

11.3.3 Apps, stacks, and resources

11.3.4 CDKTF usage

Summary

12 Terraform providers

12.1 Design

12.2 Developer environment

12.2.1 Template

12.2.2 Developer overrides

12.3 Terraform Plugin Framework features

12.3.1 Schemas

12.3.2 Error handling and logging

12.3.3 Testing

12.4 Provider interface

12.4.1 Template cleanup

12.4.2 Provider model and schema

12.4.3 Provider configuration

12.4.4 Provider testing

12.5 Data source

12.5.1 Data source schema

12.5.2 Configure

12.5.3 Read

12.5.4 Registration

12.5.5 Usage

12.5.6 Testing

12.6 Resources

12.6.1 Resource schema

12.6.2 Resource configure

12.6.3 Resource create

12.6.4 Resource read

12.6.5 Resource update

12.6.6 Resource delete

12.6.7 Registration

12.6.8 Testing

12.7 Functions

12.7.1 Function definition

12.7.2 Function run

12.7.3 Registration

12.7.4 Testing

12.8 Publishing

12.8.1 Updating documentation

12.8.2 Creating a GPG key

12.8.3 Registering the provider

12.8.4 Creating a release

Summary

Overview

11 Alternative Interfaces

This chapter explores how to work with Terraform and OpenTofu beyond writing HCL by hand. It frames Terraform as both a CLI engine and a language, then shows ways to drive that engine from other languages, consume its machine‑readable outputs, react to streaming events, and even generate configurations programmatically. The discussion also weighs when and why teams might prefer alternatives—whether to shield developers from HCL, to automate code generation, or to build higher‑level tools—while noting licensing implications that can make OpenTofu attractive for embedding.

The core technique is “wrapping the CLI”: invoking terraform/tofu with JSON and JSONL flags, parsing the structured output, and surfacing it as native data types. A Python example implements a small client that runs commands, handles errors, and maps results into classes for validate, state, outputs, plans, and applies. Longer‑running operations (plan/apply) are streamed via generators, enabling real‑time event hooks and summarized logs (e.g., version, diagnostics, outputs, and change summaries). State is modeled by combining a pulled state snapshot with a JSON “show” for completeness, and thorough tests are built around a lightweight module. With these building blocks, teams can create bespoke tooling—such as policy or security scanners that analyze plans before deployment.

The chapter then shows two ways to author configurations without HCL. First, you can write Terraform in JSON (tf.json): mirror HCL blocks as top‑level keys, use string interpolation for expressions, express keywords like depends_on as strings, and include machine‑readable comments via a special “//” field. Second, CDK for Terraform (CDKTF) lets you define infrastructure in general‑purpose languages (e.g., Python, TypeScript) and synthesize to Terraform JSON/HCL, organizing projects into Apps, Stacks, and Resources, and deploying via a synth‑plan‑apply flow. While CDKTF can help productize IaC generation, the chapter cautions that native Terraform remains simpler for most teams and notes that CDKTF targets Terraform, not OpenTofu.

Terraform using JSON Output

CDKTF Abstraction Layers

CDKTF Development Cycle

Summary

Terraform and OpenTofu are both built with the idea that they would be run programmatically, so they both utilize JSON as an optional output for most commands.
Terraform and OpenTofu have two outputs meant to be read by machines: the Machine Readable UI for streaming events, and the JSON Output Format for quick responses.
Both applications also are able to read JSON files instead of HCL to allow Terraform configurations to be generated programmatically.
JSON is available in pretty much every programming language available.
Humans should not write Terraform using JSON, instead relying on the more user friendly HCL.
CDKTF is another option for generating Terraform code from inside another programming language, although it is only available for a subset of languages.

FAQ

What does it mean to “wrap” the Terraform/OpenTofu CLI and why would I do it?

Wrapping means driving the terraform/tofu binary from your own program, then parsing its JSON output into native data structures for your language. You: - Build commands and execute them (capture stdout, stderr, return code). - Pass -json to get machine-readable output. - Parse JSON/JSONL and expose it via classes/structs (e.g., Validate, State, Plan). Use cases: custom deployment tooling, CI/CD integrations, streaming logs to UIs, security/cost/compliance analysis, or any need to control Terraform programmatically.

What’s the difference between the JSON Output Format and the Machine Readable UI?

- JSON Output Format: A single JSON object per command; used by commands like terraform show -json, terraform validate -json, terraform output -json, terraform version -json.
- Machine Readable UI: Streaming JSON lines (JSONL), one JSON object per line; used by long-running/streaming commands like terraform plan -json and terraform apply -json. It enables real-time processing of events as they arrive.

How can I stream and react to plan/apply events in real time?

Run plan/apply with -json and read stdout line-by-line (JSONL). Each event has standard fields (@level, @message, @module, @timestamp, type) plus type-specific fields. Common types: - version: tool/UI versions - outputs: final outputs - change_summary: counts of add/change/remove/import, operation - diagnostic: warnings and errors Implement “event handlers” keyed by event type (and/or an “all” handler) to forward logs, update UIs, or trigger actions while the run is in progress.

What core CLI commands can I wrap and what do their JSON structures look like?

- init: Support common flags (-backend=false, -backend-config file), plus passthrough extra args.
- validate: Returns valid, error_count, warning_count, diagnostics[]. Do not treat non-zero exit as a fatal process error; parse the response instead.
- state: Combine terraform state pull (for lineage/serial) with terraform show -json to build a complete State model (including outputs, modules, resources).
- plan: Stream events (for logs/UX) and also run terraform show -json on the plan file to build a structured Plan model (resource changes, drift, outputs, prior_state).
- apply: Stream events; aggregate outputs, change summary, diagnostics into a high-level ApplyLog.
- output: terraform output -json mapped to Output objects.

Are there licensing considerations when building tools on Terraform?

Yes. HashiCorp Terraform v1.6+ changed to a Business Source License (BSL) with restrictions for certain use cases. If you’re building tools or products around the engine, consider OpenTofu, which remains open source under a permissive license.

How do I write Terraform configurations in JSON instead of HCL?

Create files ending in .tf.json (or tofu.json for OpenTofu compatibility features). Each file is a single JSON object whose top-level keys mirror HCL blocks: - resource, data, variable, output, locals, module, provider, terraform You can split across multiple files and even mix HCL and JSON in the same directory. For providers with multiple configurations/aliases, use a list under the provider name.

How do expressions, references, and keywords work in JSON-based Terraform?

JSON has no native expression syntax. Use Terraform’s string template/interpolation: - References and functions: "${...}" (e.g., "${data.http.site.response_body}", "${upper(var.name)}") - Conditional templates: "%{ if ... }...%{ else }...%{ endif }" (string-oriented) - Keywords like depends_on or provider must be strings (e.g., "depends_on": ["data.http.site"]). Logic is string-focused and more limited than HCL expressions.

Can I add comments to Terraform JSON files?

JSON doesn’t support comments, but Terraform accepts a special "//" attribute anywhere in an object. Example: "//": "Generated, do not edit." These keys let you embed human context without breaking parsing.

What is CDKTF, how does it work, and when should I use it?

CDKTF (Cloud Development Kit for Terraform) lets you define IaC in languages like TypeScript, Python, Java, C#, or Go, then synthesizes to Terraform (JSON or HCL) and deploys with Terraform. - Concepts: App (container), Stacks (like top-level modules/workspaces), Resources (providers’ resources/data sources). - Workflow: cdktf init → code → cdktf synth → cdktf deploy/destroy. - Notes: CDKTF doesn’t directly support OpenTofu. It’s useful for products/tools that programmatically generate infrastructure. For most teams managing infra, native Terraform (HCL) is usually simpler and more mature.

How can these techniques help me build policy, security, or cost tools?

Plan/state parsing and streaming enable programmatic inspection: - Run init/plan, parse the Plan (ChangeContainer/Change) to detect risky patterns (e.g., any aws_vpc_security_group_ingress_rule with cidr_ipv4 "0.0.0.0/0"). - Stream apply/plan logs to surface diagnostics in real time. - Analyze State/Plan for compliance, drift, or cost estimation. - Integrate findings into CI/CD gates, custom dashboards, or automated approvals.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$64.99 $32.49

you save $32.50 (50%)

include audio $24.99 $12.49

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$64.99 $32.49

you save $32.50 (50%)

include audio $24.99 $12.49

eBook

pdf, ePub, online

$64.99 $32.49

you save $32.50 (50%)

include audio $24.99 $12.49

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more