| Realized I missed a key point on Terraform: I advise anyone using Terraform in production to wrap it up in some sort of automation. Hashicorp would of course like you to use Atlas :D but you can get a long way with CI/automation tools like Jenkins, Rundeck, ... We have a wrapper script which:
- configures the remote state in a predictable way (setting up remote state properly is one of the more fiddly parts of Terraform usage)
- takes a snapshot of the current state
- runs "terraform plan" to produce a plan file
- takes a snapshot of the current state, which has now been refreshed by Terraform
- pauses here and waits for human approval of the plan
- takes a snapshot of the current state one more time, even though it's usually just another copy of the last state we snapshotted
- runs "terraform apply" to apply the plan created earlier
- takes a snapshot of the final state All that state-snapshotting is an insurance policy against Terraform getting itself confused. There are definitely some gotchas in this area[1] but honestly we've only actually made use of these zealous state snapshots on two separate occasions, and they were both on our pre-production staging environment (which we deploy to more carelessly, as a dry run for production) rather than our production environment. I have thought about open sourcing that wrapper script but sadly it has some assumptions about our environment built into it (e.g. locking using a specific service in our world, so that two deploys can't run concurrently) and I've not had the time to scrub them out and generalize it. [1] https://gist.github.com/apparentlymart/657885e730d1e5abc6ea |