Ask HN: Who's Using Terraform?

5 pointsvogtb7y ago3 comments

I've used terraform for a couple of personal projects, and a bit at a company I used to work for, and I'm considering using it for my company. But I'm curious how other people are using it. I'm mostly interested in:

1) Do you use it for everything (eg ALL cloud resources created, updated, removed via terraform?)

2) Do you use it for isolated cases (eg creating roles and permissions in your cloud provider?)

3) Who runs it, and where? (eg run by individual contributors, or in an automated environment, or some other way?)

4) What are some things to watch out for? (eg patterns/anti-patterns.)

Just curious what it looks like out in the wild. Thanks!

3 comments

dmlittle7y ago

At Lob we just finished migrating all of our AWS resources to Terraform. We have a strict policy where everything (creating, updating or deleting) should be done through Terraform and the AWS console should be used as a read-only dashboard (some actions on the console such as invoking Lambdas, deleting an SQS messages, etc. are fine). We have alerting setup for any action that is performed in our AWS accounts that was done through the console.

Right now, changes are applied manually by the terraform changes author (every engineer has access to provision infrastructure they need, some teams have access to more AWS accounts than others) but we're looking to move to an automated environment such as Atlantis or Terraform Enterprise later this year.

vogtbOP7y ago

Nice, that sounds ideal! I've always found it frustrating to use the AWS console for anything other than dashboards and one-off trouble shooting.

You don't ever have issues with teams not applying resource changes? I.e. contributor A adds a resource, but doesn't apply it, and then contributor B goes to apply their changes and sees unexpected resource changes that they potentially don't have the permission to create? I guess that would be as much of a cross-team problem as a technical one.

dmlittle7y ago

Most of the Terraform changes are done by the infrastructure team which is currently 5 people. We're pretty diligent about making sure that whatever is in our master branch in the repo is what the source of truth is and what our environment should look like. If there's anything that looks off it gets caught by running a plan before applying and we quickly sync up and make sure to push the changes upstream or override them. For the smaller changes that are performed by other teams, they need a stamp of approval from someone in our infrastructure team and we make sure to be proactive about being available to not block them as well as making sure the changes are applied properly.

That being said, our current approach will definitely not scale well and that is why we're going be looking into a CI/CD pipeline way of applying changes.

It's also worth noting that it took _a lot_ of effort to migrate everything into terraform. The infrastructure team took the initiative to migrate everything in a zero-downtime way such that we wouldn't be affecting the application teams.

j / k navigate · click thread line to collapse

Ask HN: Who's Using Terraform?

5 pointsvogtb7y ago3 comments

1) Do you use it for everything (eg ALL cloud resources created, updated, removed via terraform?)

2) Do you use it for isolated cases (eg creating roles and permissions in your cloud provider?)

3) Who runs it, and where? (eg run by individual contributors, or in an automated environment, or some other way?)

4) What are some things to watch out for? (eg patterns/anti-patterns.)

Just curious what it looks like out in the wild. Thanks!

3 comments

dmlittle7y ago

vogtbOP7y ago

Nice, that sounds ideal! I've always found it frustrating to use the AWS console for anything other than dashboards and one-off trouble shooting.

dmlittle7y ago

That being said, our current approach will definitely not scale well and that is why we're going be looking into a CI/CD pipeline way of applying changes.

j / k navigate · click thread line to collapse