weekly.tf #34 - driftctl, CDK for TF 0.1

Thank you everyone for reading this newsletter and sending in links to be included. If you have something that you would like me to take a look at, please email me or respond to this email.

One of the major challenges when using Terraform to manage infrastructure is that of drift - meaning the hard to prevent erosion of the 1:1 mapping between your code and the state of deployed infrastructure. All software platforms have forms of erosion.

As an infrastructure engineer, this tool might not seem great - you probably already know that things suck. But here's the thing - your boss probably doesn't understand the extent of the problem and probably has no way of knowing whether the problem is getting better or worse. To get folks who are not working day-to-day with infrastructure to understand the state of drift, you need data.

Driftctl seems like a great way to collect metrics here, but I would want to automate the collection and be sure that the data gets somewhere that I could build a dashboard.

The CDK for Terraform was announced back in July 2020 and as now released its version 0.1. Java and C# support has been added along with a number of small improvements, like better support for Terraform Cloud and Enterprise.

If, like me, you run Terraform Enterprise (TFE) for work and. were disappointed at the previous efforts at running on more than one compute instance, then this release should make you exited.

You can now run TFE across multiple compute nodes and there is an incremental migration path from 1. AFAICT, once you move redis to external storage (that is, not on the compute node) you can just add more. The docs are nice and thorough.

Notable Releases

First alpha of 0.15 is out with a number of incremental improvements and removal of deprecated features.

Support added for a new postgres backend configruation option, and a bunch of small improvements and bug fixes.

New data sources–

  • aws_api_gateway_domain_name (#12489)

  • aws_identitystore_group (#15322)

  • aws_identitystore_user (#15322)

New resources–

  • aws_cloudwatch_composite_alarm (#15023)

  • aws_fms_policy (#9594)

  • aws_route53_resolver_dnssec_config (#17012)

  • aws_sagemaker_domain (#16077)

  • aws_ssoadmin_account_assignment (#15322)

Improvements to–

  • data-source/aws_workspaces_directory

  • resource/aws_api_gateway_base_path_mapping

  • resource/aws_api_gateway_domain_name

  • resource/aws_api_gateway_integration

  • resource/aws_api_gateway_method

  • resource/aws_api_gateway_rest_api

  • resource/aws_apigatewayv2_integration

  • resource/aws_codepipeline

  • resource/aws_dms_endpoint

  • resource/aws_elasticache_cluster

  • resource/aws_elasticache_replication_group

  • resource/aws_globalaccelerator_accelerator

  • resource/aws_globalaccelerator_endpoint_group

  • resource/aws_globalaccelerator_endpoint_listener

  • resource/aws_instance

  • resource/aws_workspaces_directory

Improvements and bug fixes–

  • data-source/aws_workspaces_directory: Add access properties (#16688)

  • resource/aws_api_gateway_base_path_mapping: Support in-place updates for api_id, base_path, and stage_name (#16147)

  • resource/aws_api_gateway_domain_name: Add mutual_tls_authentication configuration block (#15258)

  • resource/aws_api_gateway_integration: Add tls_config configuration block (#15499)

  • resource/aws_api_gateway_method: Add operation_name argument (#13282)

  • resource/aws_api_gateway_rest_api: Add disable_execute_api_endpoint argument (#16198)

  • resource/aws_api_gateway_rest_api: Add parameters argument (#7374)

  • resource/aws_apigatewayv2_integration: Add response_parameters attribute (#17043)

  • resource/aws_codepipeline: Deprecates GitHub v1 (OAuth token) authentication and removes hashing of GitHub token (#16959)

  • resource/aws_codepipeline: Adds GitHub v2 (CodeStar Connetion) authentication (#16959)

  • resource/aws_dms_endpoint: Add s3_settings date_partition_enabled argument (#16827)

  • resource/aws_elasticache_cluster: Add support for final snapshot with Redis engine (#15592)

  • resource/aws_elasticache_replication_group: Add support for final snapshot (#15592)

  • resource/aws_globalaccelerator_accelerator: Add custom timeouts (#17112)

  • resource/aws_globalaccelerator_endpoint_group: Add custom timeouts (#17112)

  • resource/aws_globalaccelerator_endpoint_listener: Add custom timeouts (#17112)

  • resource/aws_instance: Add tags parameter to root_block_device, ebs_block_device blocks.(#15474)

  • resource/aws_workspaces_directory: Add access properties (#16688)

  • resource/aws_appmesh_route: Allow an empty match attribute to specified for a grpc_route, indicating that any service should be matched (#16867)

  • resource/aws_db_instance: Correctly validate final_snapshot_identifier argument at plan-time (#16885)

  • resource/aws_dms_endpoint: Support extra_connection_attributes for all engine names during create and read (#16827)

  • resource/aws_instance: Prevent volume_tags from improperly interfering with tags in aws_ebs_volume (#15474)

  • resource/aws_networkfirewall_rule_group: Prevent resource recreation due to stateful_rule changes after creation (#16884)

  • resource/aws_route53_zone_association: Prevent deletion errors for missing Hosted Zone or VPC association (#17023)

  • resource/aws_sagemaker_image - fix error on wait for delete when image does not exist (#16077)

  • resource/aws_s3_bucket_inventory: Prevent crashes with empty destination, filter, and schedule configuration blocks (#17055)

  • service/apigateway: All operations will now automatically retry on ConflictException: Unable to complete operation due to concurrent modification. Please try again later. errors.

The rare patch release for the aws provider, fixes an issue with new tags support for block devices on instances.

Most notably, this includes some breaking changes.

Also, this adds the ability to shared modules across organizations.

Thank you for subscribing, and reading this far.

Archives and a subscribe form are available at weekly.tf.

As always, if you have feedback or something you think should be included, email me.