Manage Complexity with Terraform

Transcript

1. Manage Complexity with Terraform Tips and Tricks from the Trenches

   Commit Your Code // 2025

2. Inside every Terraform developer... There are two wolves...

3. Inside every Terraform developer... Source: Gemini One prefers code that

   is easy to read

4. Inside every Terraform developer... Source: Gemini One prefers code that

   is easy to maintain

5. Source: Gemini Both agree, well organized code is most important

   when it matters most!

6. Source: https://unsplash.com/photos/a-building-with-a-sign-that-reads-public-library-E933tEDII1k

7. Source: https://commons.wikimedia.org/wiki/File:2008-09-24_Blockbuster_in_Durham.jpg

8. Justin Biard Software Engineer, Oracle Cloud Infrastructure Disclaimer: opinions presented

   are my own About me...

9. Agenda •What is Terraform? • Managing Complexity •Resources

10. What is Terraform?

11. What is Terraform? According to HashiCorp (IBM): • Terraform is

    an infrastructure as code tool that lets you build, change, and version infrastructure safely and efficiently. This includes low-level components like compute instances, storage, and networking; and high-level components like DNS entries and SaaS features. • Infrastructure as Code (IaC) Source: https://developer.hashicorp.com/terraform

12. What is Terraform? According to HashiCorp (IBM): • Terraform is

    an infrastructure as code tool that lets you build, change, and version infrastructure safely and efficiently. This includes low-level components like compute instances, storage, and networking; and high-level components like DNS entries and SaaS features. • Infrastructure as Code (IaC) • Build, change, and version infrastructure Source: https://developer.hashicorp.com/terraform

13. What is Terraform? Infrastructure as Code • Configuration of cloud

    infrastructure resources declared as code (an interpreted configuration language… HCL)

14. What is Terraform? Infrastructure as Code • Configuration of cloud

    infrastructure resources declared as code (an interpreted configuration language… HCL) terraform { ... } Network Load Balancer Database Firewall Compartment Policy Compute Secret ./my-project/main.tf

15. What is Terraform? Build, change, and version infrastructure • Write

    code and call terraform plan / apply terraform { ... } Network Load Balancer Compute Cloud Service $ terraform apply HTTPS

16. What is Terraform? Build, change, and version infrastructure • Versioning

    is both state reconciliation and source control terraform { ... } Network Load Balancer Compute Cloud Service Version Control {tfstate} $ git commit –m ... HTTPS

17. What is Terraform? Agnostic by design • Terraform providers deal

    with the nuances of each cloud terraform { ... } AWS GCP OCI Azure https://registry.terraform.io/browse/providers

18. What are the alternatives? Some other IaC tools… • OpenTofu

    • Pulumi • CloudFormation

19. Managing Complexity

20. Examples of complexity • Complex expressions or repetitive parameter updates,

    and unrelated resource definitions (low cohesion), and inconsistent formatting • Add locals • Add variables • Split configurations within a module or the default module • Run `terraform fmt` on every commit

21. Examples of complexity • Complex expressions or repetitive parameter updates,

    and unrelated resource definitions (low cohesion), and inconsistent formatting • Add locals • Add variables • Split configurations within a module or the default module • Run `terraform fmt` on every commit • Code duplication among groups of resources defined for similar purposes • Refactoring into modules

22. Examples of complexity • Complex expressions or repetitive parameter updates,

    and unrelated resource definitions (low cohesion), and inconsistent formatting • Add locals • Add variables • Split configurations within a module or the default module • Run `terraform fmt` on every commit • Code duplication among groups of resources defined for similar purposes • Refactoring into modules • Requirements for configuration diverge - inclusion/exclusion of resources for a given stage (dev vs. prod) • Conditional resources

23. Local variables Like variables or named constants in most other

    languages Pros: • Give semantic names to intermediate or constant values • Simplify or reuse expression results Cons: • Overuse can make configurations harder to read

24. Local variables (before) resource "lb_listener" "some_listener" { … port =

    8443 } resource "firewall_rule" "ingress_rule" { … min = 8443 max = 8443 }

25. Local variables (after) locals { service_port = 8443 } resource

    "lb_listener" "some_listener" { … port = local.service_port } resource "firewall_rule" "ingress_rule" { … min = local.service_port max = local.service_port } $ git checkout demo_locals

26. String interpolation + variables Often paired with locals or variable

    blocks Pros: • Variables can be supplied as external inputs • Good for dynamic display names and string parameters • Very useful in the context of modules Cons: • Variables can increase complexity depending on context (i.e. conditional expressions) https://developer.hashicorp.com/terraform/language/parameterize

27. String interpolation + variables (before) locals { stage = "dev"

    } ... resource "compute" "api_instance" { … # example: evaluates to api-instance-dev display_name = "api-instance-${local.stage}" }

28. String interpolation + variables (after) variable "stage" { type =

    string description = "Deployment stage (dev or prod)" default = "dev" } resource "compute" "api_instance" { … # example: defaults to api-instance-dev display_name = "api-instance-${var.stage}" } $ git checkout demo_vars

29. Conditional expressions Often paired with data, locals, or variable blocks

    Pros: • Useful for altering parameters based on input Cons: • Nesting expressions can be difficult to read

30. Conditional expressions (before) resource "lb_listener" "some_listener" { … port =

    8443 } resource "firewall_rule" "ingress_rule" { … min = 8443 max = 8443 }

31. Conditional expressions (after) locals { service_port = var.stage == "dev"

    ? 8080 : 8443 } resource "lb_listener" "some_listener" { … port = local.service_port } resource "firewall_rule" "ingress_rule" { … min = local.service_port max = local.service_port }

32. Putting it all together # pass variable values at runtime

    (default is dev) $ terraform apply

33. Putting it all together # pass variable values at runtime

    (default is dev) $ terraform apply vcn-dev lb-dev api-dev Cloud Service http://dev.myapp.com:8080

34. Putting it all together # pass variable values at runtime

    (default is dev) $ terraform apply $ terraform apply -var="stage=prod" vcn-dev lb-dev api-dev Cloud Service http://dev.myapp.com:8080 https://myapp.com:8443 vcn-prod lb-prod api-prod Cloud Service api-prod api-prod

35. Modules Reusable chunks of configuration Pros: • Allows for reuse

    of groups of resource definitions • Reduces maintenance and simplifies large configurations Cons: • Harder to read without navigating multiple sources • Need to deal with address changes when refactoring

36. Modules (before) resource "lb_listener" "dev_listener" { … } resource "firewall_rule"

    "dev_ingress_rule" { … } resource "lb_listener" "prd_listener" { … } resource "firewall_rule" "prd_ingress_rule" { … }

37. Modules (before) resource "lb_listener" "dev_listener" { … } resource "firewall_rule"

    "dev_ingress_rule" { … } resource "lb_listener" "prd_listener" { … } resource "firewall_rule" "prd_ingress_rule" { … } stage = "dev" port = 8080 stage = "prd" port = 8443

38. Modules (after) # in dev/main.tf module "service_network" { source =

    "./modules/network" stage = "dev" port = 8080 } # in prd/main.tf module "service_network" { source = "./modules/network" stage = "prd" port = 8443 } $ git checkout demo_modules

39. Modules example One big config with duplication BEFORE

40. Modules example One big config with duplication prod abc xyz

    dev xyz BEFORE AFTER ./modules/abc - main.tf - outputs.tf - variables.tf ./modules/xyz - main.tf - outputs.tf - variables.tf

41. Conditional resources Conditional single resource or groups of resources (modules)

    Pros: • Enable or disable resource creation conditionally (different stages, based on data sources, variables, capabilities, etc.) Cons: • Can make configurations difficult to reason about • Non-zero chance that resources could be misconfigured (added or removed unintentionally)

42. Conditional resources (before) resource "some_resource" "abc" { … } module

    "xyz" { source = "./modules/xyz" … }

43. Conditional resources (after) locals { is_enabled = var.stage == "prod"

    } resource "some_resource" "abc" { count = local.is_enabled ? 1 : 0 … } module "xyz" { count = local.is_enabled ? 1 : 0 source = "./modules/xyz" … } $ git checkout demo_conditions

44. Conditional resources example Some hypothetical requirements change • Add a

    load balancer and extra compute instances in production. • Development remains as a single compute with no load balancer.

45. Conditional resources example # in dev is_enabled = false

46. Conditional resources example vcn-dev api-dev Cloud Service # in dev

    is_enabled = false

47. Conditional resources example vcn-dev api-dev Cloud Service # in dev

    is_enabled = false # in prod is_enabled = true ???

48. Conditional resources example vcn-dev api-dev Cloud Service vcn-prod lb-prod api-prod

    Cloud Service api-prod api-prod # in dev is_enabled = false # in prod is_enabled = true ???

49. Resources Where to find more information from here...

50. More information Terraform / OpenTofu: • https://developer.hashicorp.com/terraform/language • https://registry.terraform.io/browse/providers •

    https://opentofu.org/docs/

51. More information • https://github.com/icodealot/cyc25-terraform

52. Recap •What is Terraform? • IaC •Managing Complexity • Locals,

    variables, modules, expressions, conditional resources, … •Resources

53. Image prompt credits Gemini 2.5 Flash, JSON

54. Justin Biard Software Engineer, Oracle Cloud Infrastructure Disclaimer: opinions presented

    are my own Thank you!