How to pass HashiCorp Certified Terraform Associate exam
Terraform announced Associate certification for Cloud Engineers. So far I haven’t seen many blogs about Terraform certification, so I decided to share my tips. I hope it will be useful for people who are thinking about certification.
My name is Arkadiusz Borucki, I work with different public and private cloud providers, therefore I decided to use cloud-agnostic Terraform. I want to tell you my certification story and I would like to advise you to also try to pass Terraform certification exam! During study you will discover many Terraform tips and hints which you maybe didn’t know before ! It is very good if you want to make your knowledge more mature.
Study
I focused just on three sources and I think those materials are sufficient to pass the exam: Udemy HashiCorp Certified: Terraform Associate 2020 - very good Udemy training which covers the entire content of the exam, there is also e-book HashiCorp Terraform Certified Associate Preparation Guide - this source is also very useful if you prefer reading over watching, and of course there is also official study guide where you find everything about Terraform. You can test your knowledge by doing sample questions.
Key exam areas
- Pay attention to basic Terraform concepts - sometimes it is tricky and not that obvious as you think. Please read below summary !
a. what is Terraform - is a tool for building, changing, and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers as well as custom in-house solutions.
b. Infrastructure as Code - process of managing infrastructure in a file or files rather than manually configuring resources in a user interface
c. Terrafom vs other tools - Terraform aims to have a few advantages over other IaC tools: Platform Agnostic, State Management, Operator Confidence.
d. Terraform vs. CloudFormation - CloudFormation works just on AWS, Terraform can work on any cloud provider (cloud agnostic).
e. HCL is a configuration language authored by HashiCorp. HCL is used with HashiCorp’s cloud infrastructure automation tools, like Terraform.
f. Terraform workflow - simple workflow for deployment will follow to the steps: Scope, Author, Initialize, Plan & Apply.
g. installing Terraform - remember - it is a single binary named terraform, download the proper package for your operating system and architecture, move it in the right path and there is no need to install any pre-requirements like go.
h. Terraform is available on following OS: macOS, FreeBSD, Linux, OpenBSD, Solaris, Windows
i. Terraform provider - provider is responsible for understanding API interactions and exposing resources. Providers generally are an IaaS (e.g. Alibaba Cloud, AWS, GCP, Microsoft Azure, OpenStack), PaaS (e.g. Heroku), or SaaS services (e.g. Terraform Cloud, DNSimple, Cloudflare).
j. vault provider - The Vault provider allows Terraform to read from, write to, and configure Hashicorp Vault.
k. input variables — Input variables serve as parameters for a Terraform module. When used in the root module of a configuration, variables can be set from CLI arguments and environment variables. - You should know when to use Terraform commands:
a.“terraform init” - command is used to initialize a working directory containing Terraform configuration files. This is the first command that should be run after writing a new Terraform configuration or cloning an existing one from version control. Init will create a hidden directory .terraform and download plugins as needed by the configuration. Terraform uses also init during the module installation step to download the source code to a directory on local disk so that it can be used by other Terraform commands.
b. “terraform plan”, - command is used to create an execution plan. Terraform performs a refresh, unless explicitly disabled, and then determines what actions are necessary to achieve the desired state
specified in the configuration files. This command is a way to check whether the execution plan for a set of changes matches your expectations without making any changes to real resources or to the state. The optional -out argument can be used to save the generated plan to a file for later execution with terraform apply
c. “terraform fmt”- command is used to rewrite Terraform configuration files to a canonical format and style, so using this style in your own files will ensure consistency.
d. “terraform apply” - command is used to apply the changes required to reach the desired state of the configuration, or the pre-determined set of actions generated by a terraform plan. “ — auto-approve” flag will skip interactive approval of plan before applying.
e. “terraform refresh” - command is used to reconcile the state Terraform knows about (via its state file) with the real-world infrastructure. This can be used to detect any drift from the last-known state, and to update the state file. This does not modify infrastructure, but does modify the state file.
f. “terraform import”- command is use to import existing infrastructure. This allows you take resources you’ve created by some other means and bring it under Terraform management. The current implementation of Terraform import can only import resources into the state.
It does not generate configuration. A future version of Terraform will also generate configuration.
g. “terraform destroy”- Infrastructure managed by Terraform will be destroyed. This will ask for confirmation before destroying. This command is the reverse of terraform apply in that it terminates all the resources specified by the configuration. It does not destroy resources running elsewhere that are not described in the current configuration.
h. “terraform taint”- command manually marks a Terraform-managed resource as tainted, forcing it to be destroyed and recreated on the next apply. Command will not modify infrastructure, but does modify the state file in order to mark a resource as tainted.
i. “terraform show”- is used to provide human-readable output from a state or plan file. This can be used to inspect a plan to ensure that the planned operations are expected, or to inspect the current state as Terraform sees it.
j. “terraform workspace”- The terraform workspace command is used to manage workspaces. Terraform workspace works different in open source than enterprise version.
k. “terraform output”- The terraform output command is used to extract the value of an output variable from the state file.
l. “terraform state”- terraform state command is used for advanced state management. As your Terraform usage becomes more advanced, there are some cases where you may need to modify the Terraform state. Rather than modify the state directly, the terraform state commands can be used in many cases instead. - State file - this is what you must know. Terraform store state about managed infrastructure and configuration. This state is used by Terraform to map real world resources to your configuration, keep track of metadata, and to improve performance for large infrastructures.
a. change/update of state file - commands like terraform refresh and terraform apply update the state file, but terraform init, terraform plan and terraform fmt, terraform taint not makes any changes to real resources or to the state.
b. store remote state - In production environments it is a best practice to store state elsewhere than your local machine.The best way to do this is by running Terraform in a remote environment with shared access to state.
c. state locking - Terraform will lock your state for all operations that could write state. This prevents others from acquiring the lock and potentially corrupting your state, force-unlock command can unlock the state if unlocking failed
d. workspaces - backends support multiple named workspaces, allowing multiple states to be associated with a single configuration. The configuration still has only one backend, but multiple distinct instances of that configuration to be deployed without configuring a new backend or changing authentication credentials.
terraform workspace list
terraform workspace show
terraform workspace select <name>
terraform workspace new <name>
terraform workspace delete <>name - Security - If you manage any sensitive data with Terraform (like database passwords, user passwords, or private keys), treat the state itself as sensitive data.
a. keep plain text secrets out of your code by taking advantage of Terraform’s native support for reading environment variables. Using environment variables keep plain text secrets out of your code and version control system.
b. credentials in state file - Terraform state file can contain sensitive data like passwords. Storing state remotely can provide better security.
c. .gitignore - exclude all files, which are likely to contain sensitive data. - Terraform enviroment variables - Terraform refers to a number of environment variables to customize various aspects of its behavior.
a. TF_LOG - enables detailed logs to appear on stderr which is useful for debugging in case of problems. You can set TF_LOG to one of the log levels TRACE, DEBUG, INFO, WARN or ERROR to change the verbosity of the logs. TRACE is the most verbose and it is the default one.
b. TF_LOG_PATH - This specifies where the log should persist its output to. Note that even when TF_LOG_PATH is set, TF_LOG must be set in order for any logging to be enabled. - Terraform resources - Each resource block describes one or more infrastructure objects, such as virtual networks, compute instances, or higher-level components such as DNS records.
a. Resource Addressing - Resource Address is a string that references a specific resource in a larger infrastructure.
b. Resource Lifecycle - ValidateResource, Diff, Apply. - explicit and implicit resources dependencies
a. Most resources in a configuration don’t have any particular relationship, and Terraform can make changes to several unrelated resources in parallel.
b. some dependencies cannot be recognized implicitly in configuration. In these rare cases, the depends_on meta-argument can explicitly specify a dependency. - Make sure you understand Terraform iteration features
a. count - count parameter on resources can simplify configurations and let you scale resources by simply incrementing a number.
b. for_each - for_each was introduced in terraform 0.12.6 and it allows us to do the same as count, so to create multiple instances of the same resource but with one important difference. It takes a map / set as input and uses the key of a map as an index of instances of created resource. - Terraform data source - Data sources allow data to be fetched or computed for use elsewhere in Terraform configuration. Use of data sources allows a Terraform configuration to make use of information defined outside of Terraform, or defined by another separate Terraform configuration.
- Terraform registry - it is repository of providers and modules written by the Terraform community and by official cloud providers.
a. terraform module - Modules are small, reusable Terraform configurations that let you manage a group of related resources as if they were a single resource.
b. verified modules - verified modules are reviewed by HashiCorp and actively maintained by contributors to stay up-to-date and compatible with both Terraform and their respective providers. - Terraform Cloud, Terraform Enterprise and OSS:
a. Terraform Enterprise is offered as a private installation. It is designed to suit the needs of organizations including more features (audit logging, SSO/SAML), more customization (private networking), performance (job scaling), and higher levels of support.
b. Sentinel Resource - Terraform Enterprise uses Sentinel to enforce policy on Terraform configurations, states, and plans.
c. Terraform Enterprise currently supports running under the following operating systems: Debian, Ubuntu, Red Hat Enterprise Linux, CentOS, Amazon Linux, Oracle Linux
d.Terraform Cloud is offered as a multi-tenant SaaS platform and is designed to suit the needs of smaller teams and organizations. It is limited to one run at a time, which prevents users from executing multiple runs concurrently.
e. Terraform cloud has free and paid plans - Many of Cloud features are free for small teams, including remote state storage, remote runs, and VCS connections. Terraform also offer paid plans for larger teams that include additional collaboration and governance features.
f. Terraform OSS vs Enterprise vs Cloud - make sure you understand differences between offers.