We need to provision multiple sets of predefined AWS infrastructure components. The set of components is fixed, and defined by a database of properties e.g. the properties may include a Swagger file for a Gateway API, some url patterns for a Cloudfront distrubution etc.
There is only a limited and defined variation among these components and their properties. The properties may change over lifetime of the components.
We were weighing the option of using terraform to provision and maintain these resources, vs using writing scripts ourselves using AWS SDK and APIs.
Terraform with AWS provider makes things super easy, as compared to manually writing all the provisioning and modification code. However, the team is concerned about the degree of determinism in the process, especially since we want to auto-apply the changes without human review or interaction.
Let’s say my database of properties changes and I want to make changes to a few resource sets, and add a whole new resource set.
If I can guarantee that only this terraform is changing my AWS infrastructure (No one going to the console to change anything manually, strict Infrastructure as code). Then, will the plan always work in the same way? Of course its a computer program and its ultimately deterministic and will always “work in the same way”, but what I want to ask is, to those who know the internal workings of Terraform (and the generated cloudformation) better, what are the risks of using this approach to managing our infrastructure. What risk do we avoid by taking the more painstaking SDK / API based change management approach vs terraform. Does terraform have complex, conditional optimizations built in which can result in different upgrade and change paths for different change types, which makes human review of the plan always necessary to ensure the adopted change path is not risky?
Putting the same question differently, do you see any risk in using a database to auto-generate .tfvars for fixed terraform provisioning modules, and assume that repeated re-application of different variations of those tfvars and adding/removal whole modules, will always result in the same AWS infrastructure?
Thanks
Asif
2 posts - 2 participants