Intro­duc­tion

Infra­struc­ture-as-Code (IaC) is one of the best DevOps prac­tices which accel­er­ates devel­op­ment and increases the qual­ity of deploy­ments. IaC has become a true industry stand­ard. We observe that many of our cus­tom­ers who start their cloud jour­ney adopt IaC, and spe­cific­ally Ter­ra­form, from the very begin­ning. In our pre­vi­ous post, we have looked at dif­fer­ent IaC tools. In the cur­rent blog, we would like to present the latest IaC devel­op­ments and trends and share our experience.

Improved test­ing capabilities

Ter­ra­form offered dif­fer­ent kinds of val­id­a­tions such as input vari­able val­id­a­tionresource pre­con­di­tions and post­con­di­tions, and check blocks for a long time. Finally, Ter­ra­form has launched a more power­ful frame­work for unit and integ­ra­tion tests. Many things that pre­vi­ously had to be imple­men­ted manu­ally using other pro­gram­ming lan­guages and frame­works are now pos­sible with HCL. The new frame­work intro­duced new file formats such as .tftest.hcl and .tftest.json as well as a new Ter­ra­form CLI com­mand “test”.

The main cap­ab­il­ity of the frame­work is to per­form tests on the real-world infra­struc­ture. Per default, the Ter­ra­form test com­mand applies test con­fig­ur­a­tions, but the beha­viour can be changed to plan only. Optional asser­tions can be defined which can refer to vari­ables, resource attrib­utes and built-in func­tions, but execut­ing a cus­tom script in an asser­tion is not pos­sible. A work­around for using cus­tom scripts can be to embed them in the shell resource pro­vider or sim­ilar and then read the out­put of the resource or data source in the assertion. 

The new frame­work will also auto­mat­ic­ally des­troy the infra­struc­ture pro­vi­sioned dur­ing a test after the test is fin­ished. This aspect is not use­ful, since post-apply ana­lysis can be very use­ful for debug­ging in some case. An option to skip destruc­tion is not imple­men­ted yet. 

An advant­age of the Ter­ra­form test is the intro­duc­tion of run-blocks. Each run-block can refer to a spe­cific test case or mod­ule and over­ride the vari­able and pro­vider con­fig­ur­a­tion. This gives a great flex­ib­il­ity for tests that require some ini­tial setup which is not the part of the main infra­struc­ture code. The ini­tial setup can be imple­men­ted by a run-block with a ref­er­ence to a ded­ic­ated test module. 

Finally, Ter­ra­form is able to accel­er­ate the test­ing pro­cess by using mock-pro­viders without pro­vi­sion­ing real-world infra­struc­ture. This func­tion is par­tic­u­larly use­ful for test­ing large infra­struc­tures or resources with a long deploy­ment time and for a large num­ber of tests with dif­fer­ent para­meter values.

Licens­ing Changes

HashiCorp has changed its source code license from Moz­illa Pub­lic License v2.0 (MPL 2.0) to the Busi­ness Source License (BSL). This decision is motiv­ated by the lack of valu­able con­tri­bu­tions to HashiCorp’s OSS from some other com­mer­cial vendors using this OSS. The new license model pro­hib­its, among oth­ers, the pro­duc­tion usage of Ter­ra­form which com­petes with HashiCorp’s paid offers. Thus, many use cases remain unaf­fected by the licens­ing change. 

How­ever, for cus­tom­ers using the Ter­ra­grunt exten­sion for Ter­ra­form, a restric­tion to the under­ly­ing Ter­ra­form ver­sion (v1.5.5 or older) has been intro­duced. As a reac­tion, Ter­ra­grunt and other vendors have foun­ded OpenTofu, a fork of Ter­ra­form which is open-source, com­munity-driven, and man­aged by the Linux Found­a­tion. OpenTofu is already GA and its com­munity will con­tinu­ously imple­ment import­ant fea­tures com­pat­ible with future Ter­ra­form releases.

Time for the Cloud Edition?

When work­ing with Ter­ra­form it is also about decid­ing which edi­tion (self-hos­ted, cloud or enter­prise) to use. Each option has its bene­fits and drawbacks. 

Ter­ra­form Cloud and respect­ively Enter­prise have gained fur­ther improve­ments such as dynamic pro­vider cre­den­tials, drift detec­tion, stacks, third-party tools integ­ra­tion and policy eval­u­ation. Note that Ter­ra­form Cloud is even free for up to 500 resources per month. The latest changes make Ter­ra­form Cloud/Enterprise even more attract­ive. How­ever, there are still some points to consider. 

First of all, it is about data secur­ity and the author­ised stor­age loc­a­tions for data. Many European com­pan­ies restrict the store loc­a­tion to the EU. In this case, Ter­ra­form Cloud, which stores all cus­tomer data in the United States, is not an option. If Cloud fea­tures are still required, then Ter­ra­form Enter­prise is the choice which is a self-hos­ted ver­sion of Ter­ra­form Cloud and, con­sequently, requires more install­a­tion and admin­is­tra­tion work.

Although Cloud and Enter­prise edi­tions provide cus­tom­ers an all-in-one tool to develop and oper­ate IaC, a good por­tion of its fea­ture, e.g. state and cre­den­tials man­age­ment, RBAC, drift detec­tion, can be quite eas­ily imple­men­ted by other DevOps frame­works and pub­lic cloud ser­vices. From our exper­i­ence, the Ter­ra­form com­munity edi­tion is more than suf­fi­cient for the most use cases, but of course the scale of infra­struc­ture matters. 

Look­ing at Competitors

Among other IaC tools, it is only Pulumi which can poten­tially com­pete with Ter­ra­form. The import­ant cri­terium is the num­ber of sup­por­ted resource pro­viders. Pulumi has launched its registry in 2021 with sup­port for 64 lead­ing cloud pro­viders and offers today over 150 pack­ages. Ter­ra­form Registry over­whelms this num­ber with over 3800 pro­viders. Sim­ilar rela­tion reflects on the num­ber of cus­tom­ers which are 2000 and 40000 for Pulumi and Ter­ra­form, respect­ively. Ter­ra­form clearly stays an industry leader for IaC. 

How­ever, Pulumi keeps grow­ing and attracts new fund­ing. Pulumi was from the very begin­ning tar­geted at writ­ing IaC code in pop­u­lar pro­gram­ming lan­guages such as TypeScript/JavaScript, Python, Go, C#, Java, and YAML. In con­trast, Ter­ra­form has first released its cloud devel­op­ment kit (CDKTF) for gen­eral avail­ab­il­ity in 2022. In the mean­time, CDKTF offers about 110 imple­men­ted pro­viders and is some­what behind Pulumi. 

Sum­mary

We have made a review of, in our opin­ion, the most import­ant trends in IaC world with the focus on Ter­ra­form as a leader. As expec­ted, Ter­ra­form has brought many new valu­able fea­tures to the mar­ket in the last year and still remained OSS for our use cases. At the same time, it is exit­ing to observe the raise of other OSS IaC pro­jects. Clearly, there is no con­sol­id­a­tion in the developer com­munity yet. We will con­tinue to pur­sue this devel­op­ment in our next blogs.