HashiCorp has released v0.8 of Terraform, an open source tool that enables the building, combining and launching of programmable infrastructure via providers such as Amazon Web Services, VMware vSphere, and UltraDNS. Major new functionality includes an interactive console, conditional values, and HashiCorp Vault and Nomad providers.
Terraform 0.8 adds a new interactive console with terraform console that can be used to experiment with interpolations and inspect infrastructure. The HashiCorp blog suggests that for developers new to Terraform the console is a great additional learning resource, as interpolations (anything you would put in a Terraform configuration attribute) can be entered into the console and the generated output explored. The console is currently read-only, which prevents any accidental change of infrastructure or state.
Interpolations now support basic conditionals, which allows the conditional assignment of a value, for example within a resource meta-parameter. When combined with a resource ‘count’ parameter this enables conditional inclusion of resources e.g. ‘count = “${var.env == “production” ? 1 : 0}”. This example demonstrates that by setting the variable “env” to something other than “production” the associated resource would have a count of 0, and hence not be created. Terraform supports the following logical operators: equality == and !=; numerical comparison >, <, >= and <=; and boolean operators &&, || and ! (unary).
In Terraform 0.8 it is now possible to specify a ‘Terraform Version Requirement’ using the terraform configuration meta-parameter ‘required_version’ e.g. “required_version = “>= 0.8, < 0.9”. The HashiCorp blogs states that this feature has been added to allow the prevention of running a Terraform configuration against an unexpected Terraform version, and can be used, for example, to prevent an apply on configuration against a Terraform binary in which bugs have been fixed in newer versions that can result in damage to existing infrastructure. If the version of Terraform does not match the desired version, Terraform will output an error very early on notifying the user that they must change their Terraform version to interact with the configuration.
Creating and changing infrastructure often requires a number of different credentials, for example API access tokens and database administration passwords, and the best place to store those credentials is a secure secret management tool. The Terraform Vault provider allows Terraform to read from, write to, and configure Vault, HashiCorp’s tool for managing secrets.
The Terraform documentation states that the Vault provider currently only supports the generic secret backend, but this covers two primary common use cases: (1) configuring and populating Vault: Terraform can be used by the Vault administrators to configure Vault and populate it with secrets; and (2) using Vault credentials within Terraform configuration: credentials can be obtained from Vault, which means that operators or systems running Terraform need only access to a suitably-privileged Vault token in order to temporarily lease the credentials for other providers.
It is important to note that the Terraform Vault provider documentation states that interacting with Vault from Terraform causes any secrets that you read and write to be persisted in both Terraform's state file and in any generated plan files. For any Terraform module that reads or writes Vault secrets, these files should be treated as sensitive and protected accordingly. In addition, currently Terraform has no mechanism to redact or protect secrets that are provided via configuration, and accordingly teams choosing to use Terraform for populating Vault secrets should pay careful attention to the notes on each resource's documentation page about how any secrets are persisted to the state and consider carefully whether such usage is compatible with their organisational security policies.
The new Nomad provider enables Terraform to set up jobs for the HashiCorp Nomad distributed scheduler that must run as part of the infrastructure creation process. The use case here is primarily system jobs or batch initialization jobs. The HashiCorp blog suggests that this new functionality is not intended to replace nomad run completely, but Terraform can be used to bootstrap a cluster and associated applications.
Terraform 0.8 introduces several backwards incompatibilities with Terraform 0.7, and the HashiCorp team suggests that developers review the upgrade guide. The upgrade guide includes details of all backwards incompatibilities and necessary considerations when upgrading to 0.8.
Additional details on the release of HashiCorp Terraform v0.8 can be found on the HashiCorp blog, and the Terraform binaries can be downloaded from the HashiCorp website, and the Terraform code (primarily written in Golang) can be found in the project’s GitHub repository.