DevOps help for Cloud Platform Engineers
  • Welcome!
  • Quick Start Guide
  • About Me
  • CV
  • Contribute
  • 🧠DevOps & SRE Foundations
    • DevOps Overview
      • Engineering Fundamentals
      • Implementing DevOps Strategy
      • DevOps Readiness Assessment
      • Lifecycle Management
      • The 12 Factor App
      • Design for Self Healing
      • Incident Management Best Practices (2025)
    • SRE Fundamentals
      • Toil Reduction
      • System Simplicity
      • Real-world Scenarios
        • AWS VM Log Monitoring API
    • Agile Development
      • Team Agreements
        • Definition of Done
        • Definition of Ready
        • Team Manifesto
        • Working Agreement
    • Industry Scenarios
      • Finance and Banking
      • Public Sector (UK/EU)
      • Energy Sector Edge Computing
  • 🛠️DevOps Practices
    • Platform Engineering
    • FinOps
    • Observability
      • Modern Practices
  • 🚀Modern DevOps Practices
    • Infrastructure Testing
    • Modern Development
    • Database DevOps
  • 🛠️Infrastructure as Code (IaC)
    • Terraform
      • Cloud Integrations - Provider-specific implementations
        • Azure Scenarios
          • Azure Authetication
            • Service Principal
            • Service Principal in block
            • Service Principal in env
        • AWS Scenarios
          • AWS Authentication
        • GCP Scenarios
          • GCP Authentication
      • Testing and Validation
        • Unit Testing
        • Integration Testing
        • End-to-End Testing
        • Terratest Guide
      • Best Practices
        • State Management
        • Security
        • Code Organization
        • Performance
      • Tools & Utilities - Enhancing the Terraform workflow
        • Terraform Docs
        • TFLint
        • Checkov
        • Terrascan
      • CI/CD Integration - Automating infrastructure deployment
        • GitHub Actions
        • Azure Pipelines
        • GitLab CI
    • Bicep
      • Getting Started - First steps with Bicep [BEGINNER]
      • Template Specs
      • Best Practices - Guidelines for effective Bicep implementations
      • Modules - Building reusable components [INTERMEDIATE]
      • Examples - Sample implementations for common scenarios
      • Advanced Features
      • CI/CD Integration - Automating Bicep deployments
        • GitHub Actions
        • Azure Pipelines
  • 💰Cost Management & FinOps
    • Cloud Cost Optimization
  • 🐳Containers & Orchestration
    • Containerization Overview
      • Docker
        • Dockerfile Best Practices
        • Docker Compose
      • Kubernetes
        • CLI Tools - Essential command-line utilities
          • Kubectl
          • Kubens
          • Kubectx
        • Core Concepts
        • Components
        • Best Practices
          • Pod Security
          • Security Monitoring
          • Resource Limits
        • Advanced Features - Beyond the basics [ADVANCED]
          • Service Mesh
            • Istio
            • Linkerd
          • Ingress Controllers
            • NGINX
            • Traefik
            • Kong
            • Gloo Edge
            • Contour
        • Tips
          • Status in Pods
          • Resource handling
          • Pod Troubleshooting Commands
        • Enterprise Architecture
        • Health Management
        • Security & Compliance
        • Virtual Clusters
      • OpenShift
  • Service Mesh & Networking
    • Service Mesh Implementation
  • Architecture Patterns
    • Data Mesh
    • Multi-Cloud Networking
    • Disaster Recovery
    • Chaos Engineering
  • Edge Computing
    • Implementation Guide
      • Serverless Edge
      • IoT Edge Patterns
      • Real-Time Processing
      • Edge AI/ML
      • Security Hardening
      • Observability Patterns
      • Network Optimization
      • Storage Patterns
  • 🚀CI/CD & Release Management
    • Continuous Integration
    • Continuous Delivery
      • Deployment Strategies
      • Secrets Management
      • Blue-Green Deployments
      • Deployment Metrics
      • Progressive Delivery
      • Release Management for DevOps/SRE (2025)
  • CI/CD Platforms
    • Tekton
      • Build and Push Container Images
      • Tekton on NixOS Setup
    • Flagger
    • Azure DevOps
      • Pipelines
        • Stages
        • Jobs
        • Steps
        • Templates - Reusable pipeline components
        • Extends
        • Service Connections - External service authentication
        • Best Practices for 2025
        • Agents and Runners
        • Third-Party Integrations
        • Azure DevOps CLI
      • Boards & Work Items
    • GitHub Actions
      • GitHub SecOps: DevSecOps Pipeline
    • GitLab
      • GitLab Runner
  • GitOps
    • GitOps Overview
      • Modern GitOps Practices
      • GitOps Patterns for Multi-Cloud (2025)
      • Flux
        • Progressive Delivery
        • Use GitOps with Flux, GitHub and AKS
  • Source Control
    • Source Control Overview
      • Git Branching Strategies
      • Component Versioning
      • Kubernetes Manifest Versioning
      • GitLab
      • Creating a Fork
      • Naming Branches
      • Pull Requests
      • Integrating LLMs into Source Control Workflows
  • ☁️Cloud Platforms
    • Cloud Strategy
      • AWS to Azure
      • Azure to AWS
      • GCP to Azure
      • AWS to GCP
      • GCP to AWS
    • Landing Zones in Public Clouds
      • AWS Landing Zone
      • GCP Landing Zone
      • Azure Landing Zones
    • Azure
      • Best Practices
        • Azure Best Practices Overview
        • Azure Architecture Best Practices
        • Azure Naming Standards
        • Azure Tags
        • Azure Security Best Practices
      • Services
        • Azure Active Directory (AAD)
        • Azure Monitor
        • Azure Key Vault
        • Azure Service Bus
        • Azure DNS
        • Azure App Service
        • Azure Batch
        • Azure Machine Learning
        • Azure OpenAI Service
        • Azure Cognitive Services
        • Azure Kubernetes Service (AKS)
        • Azure Databricks
        • Azure SQL Database
      • Monitoring
      • Administration Tools - Platform management interfaces
        • Azure PowerShell
        • Azure CLI
      • Tips & Tricks
    • AWS
      • Authentication
      • Best Practices
      • Tips & Tricks
      • Services
        • AWS IAM (Identity and Access Management)
        • Amazon CloudWatch
        • Amazon SNS (Simple Notification Service)
        • Amazon SQS (Simple Queue Service)
        • Amazon Route 53
        • AWS Elastic Beanstalk
        • AWS Batch
        • Amazon SageMaker
        • Amazon Bedrock
        • Amazon Comprehend
    • Google Cloud
      • Services
        • Cloud CDN
        • Cloud DNS
        • Cloud Load Balancing
        • Google Kubernetes Engine (GKE)
        • Cloud Run
        • Artifact Registry
        • Compute Engine
        • Cloud Functions
        • App Engine
        • Cloud Storage
        • Persistent Disk
        • Filestore
        • Cloud SQL
        • Cloud Spanner
        • Firestore
        • Bigtable
        • BigQuery
        • VPC (Virtual Private Cloud)
  • 🔐Security & Compliance
    • DevSecOps Overview
      • DevSecOps Pipeline Security
      • DevSecOps
        • Real-life Examples
        • Scanning & Protection - Automated security tooling
          • Dependency Scanning
          • Credential Scanning
          • Container Security Scanning
          • Static Code Analysis
            • Best Practices
            • Tool Integration Guide
            • Pipeline Configuration
        • CI/CD Security
        • Secrets Rotation
      • Supply Chain Security
        • SLSA Framework
        • Binary Authorization
        • Artifact Signing
      • Security Best Practices
        • Threat Modeling
        • Kubernetes Security
      • SecOps
      • Zero Trust Model
      • Cloud Compliance
        • ISO/IEC 27001:2022
        • ISO 22301:2019
        • PCI DSS
        • CSA STAR
      • Security Frameworks
      • SIEM and SOAR
  • Security Architecture
    • Zero Trust Implementation
      • Identity Management
      • Network Security
      • Access Control
  • 🔍Observability & Monitoring
    • Observability Fundamentals
  • 🧪Testing Strategies
    • Testing Overview
      • Modern Testing Approaches
      • End-to-End Testing
      • Unit Testing
      • Performance Testing
        • Load Testing
      • Fault Injection Testing
      • Integration Testing
      • Smoke Testing
  • 🤖AI Integration
    • AIops Overview
      • Workflow Automation
      • Predictive Analytics
      • Code Quality
  • 🧠AI & LLM Integration
    • Overview
      • Claude
        • Installation Guide
        • Project Guides
        • MCP Server Setup
        • LLM Comparison
      • Ollama
        • Installation Guide
        • Configuration
        • Models and Fine-tuning
        • DevOps Usage
        • Docker Setup
        • GPU Setup
        • Open WebUI
      • Copilot
        • Installation Guide
        • VS Code Integration
        • CLI Usage
      • Gemini
        • Installation Guides - Platform-specific setup
          • Linux Installation
          • WSL Installation
          • NixOS Installation
        • Gemini 2.5 Features
        • Roles and Agents
        • NotebookML Guide
        • Cloud Infrastructure Deployment
        • Summary
  • 💻Development Environment
    • DevOps Tools
      • Pulumi
      • Operating Systems - Development platforms
        • NixOS
          • Install NixOS: PC, Mac, WSL
          • Nix Language Deep Dive
          • Nix Language Fundamentals
            • Nix Functions and Techniques
            • Building Packages with Nix
            • NixOS Configuration Patterns
            • Flakes: The Future of Nix
          • NixOS Generators: Azure & QEMU
        • WSL2
          • Distributions
          • Terminal Setup
      • Editor Environments
      • CLI Tools
        • Azure CLI
        • PowerShell
        • Linux Commands
          • SSH - Secure Shell)
            • SSH Config
            • SSH Port Forwarding
        • Linux Fundametals
        • Cloud init
          • Cloud init examples
        • YAML Tools
          • How to create a k8s yaml file - How to create YAML config
          • YQ the tool
  • 📚Programming Languages
    • Python
    • Go
    • JavaScript/TypeScript
    • Java
    • Rust
  • Platform Engineering
    • Implementation Guide
  • FinOps
    • Implementation Guide
  • AIOps
    • LLMOps Guide
  • Should Learn
    • Should Learn
    • Linux
      • Commands
      • OS
      • Services
    • Terraform
    • Getting Started - Installation and initial setup [BEGINNER]
    • Cloud Integrations
    • Testing and Validation - Ensuring infrastructure quality
      • Unit Testing
      • Integration Testing
      • End-to-End Testing
      • Terratest Guide
    • Best Practices - Production-ready implementation strategies
      • State Management
      • Security
      • Code Organization
      • Performance
    • Tools & Utilities
    • CI/CD Integration
    • Bicep
    • Kubernetes
      • kubectl
    • Ansible
    • Puppet
    • Java
    • Rust
    • Azure CLI
  • 📖Documentation Best Practices
    • Documentation Strategy
      • Project Documentation
      • Release Notes
      • Static Sites
      • Documentation Templates
      • Real-World Examples
  • 📋Reference Materials
    • Glossary
    • Tool Comparison
    • Tool Decision Guides
    • Recommended Reading
    • Troubleshooting Guide
    • Development Setup
Powered by GitBook
On this page
  • Installation Guide
  • Linux Installation
  • WSL2 Installation
  • NixOS Installation
  • NixOS Real-Life Scenarios for Terraform
  • 1. Reproducible Multi-Cloud Dev Environments
  • 2. Project-Specific Flake for Terraform + Providers
  • 3. Declarative Secrets Management for Provider Credentials
  • 4. CI/CD with Nix and Terraform
  • Modern Terraform Features (2025)
  • Key Features
  • Best Practices
  • 1. State Management
  • 2. Code Organization
  • 3. Security
  • 4. Performance
  • 5. Cost Management
  • Deployment Scenarios
  • 1. Multi-Region High Availability
  • 2. Zero-Downtime Deployments
  • 3. Secure Landing Zone
  • Integration with Other Tools
  • 1. CI/CD Integration
  • 2. Policy as Code
  • Testing Strategies
  • 1. Unit Testing
  • 2. Integration Testing
  • Additional Resources
  • Related Topics
Edit on GitHub
  1. Infrastructure as Code (IaC)

Terraform

Setting up and using terraform for Azure Deployments

Terraform is HashiCorp's Infrastructure as Code (IaC) tool that enables you to safely and predictably create, change, and improve infrastructure across multiple cloud providers and services. This guide covers modern Terraform practices as of 2025, including the latest features and best practices.

Installation Guide

Linux Installation

Ubuntu/Debian

wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install terraform

RHEL/CentOS/Fedora

sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
sudo yum -y install terraform

WSL2 Installation

For WSL2, you can either use the Linux distribution's package manager as above, or install via the official package:

wget -O terraform.zip https://releases.hashicorp.com/terraform/latest/terraform_*_linux_amd64.zip
unzip terraform.zip
sudo mv terraform /usr/local/bin/

NixOS Installation

Add Terraform to your system configuration (configuration.nix):

{ config, pkgs, ... }:
{
  environment.systemPackages = with pkgs; [
    terraform
    terraform-ls  # Language server for IDE integration
    terraform-docs  # Documentation generator
    tflint  # Terraform linter
  ];
}

Or for a project-specific environment using shell.nix:

{ pkgs ? import <nixpkgs> {} }:
pkgs.mkShell {
  buildInputs = with pkgs; [
    terraform
    terraform-ls
    terraform-docs
    tflint
  ];
}

NixOS Real-Life Scenarios for Terraform

1. Reproducible Multi-Cloud Dev Environments

Use NixOS to ensure every engineer and CI runner has the same Terraform, provider plugins, and linters:

# configuration.nix
{
  environment.systemPackages = with pkgs; [ terraform awscli azure-cli google-cloud-sdk tflint ];
}

2. Project-Specific Flake for Terraform + Providers

Use a Nix flake to pin Terraform and provider versions for a project:

# flake.nix
{
  description = "Terraform dev shell with AWS, Azure, GCP providers";
  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
  outputs = { self, nixpkgs }: {
    devShells.x86_64-linux.default = nixpkgs.legacyPackages.x86_64-linux.mkShell {
      buildInputs = with nixpkgs.legacyPackages.x86_64-linux; [ terraform awscli azure-cli google-cloud-sdk tflint ];
    };
  };
}

Start the shell:

nix develop

3. Declarative Secrets Management for Provider Credentials

# Example: Pass environment variables to Terraform from NixOS
{
  environment.variables = {
    ARM_CLIENT_ID = "...";
    ARM_CLIENT_SECRET = "...";
    AWS_ACCESS_KEY_ID = "...";
    AWS_SECRET_ACCESS_KEY = "...";
  };
}

4. CI/CD with Nix and Terraform

Use Nix to build a Docker image or CI environment with pinned Terraform and providers for GitHub Actions, GitLab CI, or self-hosted runners:

# docker.nix
{ pkgs ? import <nixpkgs> {} }:
pkgs.dockerTools.buildImage {
  name = "terraform-nix-ci";
  tag = "latest";
  contents = [ pkgs.terraform pkgs.tflint pkgs.awscli pkgs.azure-cli pkgs.google-cloud-sdk ];
}

Modern Terraform Features (2025)

Key Features

  1. Native Support for Multi-Cloud Deployments

    • Unified workflow across AWS, Azure, GCP, and other providers

    • Cross-cloud resource dependencies

    • Cloud-agnostic modules

  2. Enhanced State Management

    • Improved state locking mechanisms

    • Built-in state encryption

    • Advanced state migration tools

  3. Testing and Validation

    • Built-in testing framework

    • Policy as code integration

    • Automated validation pipelines

  4. Security Features

    • Native secrets management

    • IAM role assumption

    • Provider authentication improvements

Best Practices

1. State Management

  • Use remote state storage (AWS S3, Azure Storage, GCP Cloud Storage)

  • Implement state locking

  • Separate state files per environment

  • Enable state encryption

Example backend configuration for Azure:

terraform {
  backend "azurerm" {
    resource_group_name  = "terraform-state-rg"
    storage_account_name = "tfstate${random_string.suffix.result}"
    container_name       = "tfstate"
    key                  = "prod.terraform.tfstate"
    use_oidc            = true
  }
}

2. Code Organization

  • Use workspaces for environment separation

  • Implement consistent naming conventions

  • Maintain modular code structure

project/
├── environments/
│   ├── prod/
│   ├── staging/
│   └── dev/
├── modules/
│   ├── networking/
│   ├── compute/
│   └── storage/
└── shared/
    └── provider.tf

3. Security

  • Use provider authentication with OIDC

  • Implement least privilege access

  • Enable audit logging

  • Use sensitive input variables

4. Performance

  • Use for_each instead of count where possible

  • Implement parallel resource creation

  • Use data sources efficiently

5. Cost Management

  • Implement cost estimation in CI/CD

  • Use cost allocation tags

  • Enable cost reports and budgets

Deployment Scenarios

1. Multi-Region High Availability

module "primary_region" {
  source = "./modules/region"
  
  providers = {
    aws = aws.us-west-2
  }
  
  is_primary = true
  region_name = "us-west-2"
}

module "secondary_region" {
  source = "./modules/region"
  
  providers = {
    aws = aws.us-east-1
  }
  
  is_primary = false
  region_name = "us-east-1"
}

2. Zero-Downtime Deployments

resource "aws_lb" "application" {
  name               = "application-lb"
  internal           = false
  load_balancer_type = "application"
  
  enable_deletion_protection = true
  enable_http2       = true
  
  subnets = module.vpc.public_subnets
}

resource "aws_lb_listener" "blue_green" {
  load_balancer_arn = aws_lb.application.arn
  port              = "443"
  protocol          = "HTTPS"
  
  default_action {
    type = "forward"
    target_group_arn = var.environment == "blue" ? aws_lb_target_group.blue.arn : aws_lb_target_group.green.arn
  }
}

3. Secure Landing Zone

module "landing_zone" {
  source = "./modules/landing_zone"
  
  organization_name = "example-corp"
  environment      = "prod"
  
  network_configuration = {
    vpc_cidr             = "10.0.0.0/16"
    enable_transit_gateway = true
    enable_network_firewall = true
  }
  
  security_configuration = {
    enable_guardduty     = true
    enable_security_hub  = true
    enable_config        = true
  }
}

Integration with Other Tools

1. CI/CD Integration

GitHub Actions workflow example:

name: 'Terraform Pipeline'
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  terraform:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
      
      - name: Terraform Format
        run: terraform fmt -check
        
      - name: Terraform Init
        run: terraform init
        
      - name: Terraform Plan
        run: terraform plan -out=tfplan
        
      - name: Terraform Apply
        if: github.ref == 'refs/heads/main'
        run: terraform apply -auto-approve tfplan

2. Policy as Code

Using OPA (Open Policy Agent) for policy enforcement:

provider "opa" {
  hostname = "http://localhost:8181"
}

data "opa_document" "policy" {
  path = "terraform/policies"
  
  query = {
    resources = terraform.resources
    allowed   = true
  }
}

Testing Strategies

1. Unit Testing

Using Terratest for infrastructure testing:

package test

import (
    "testing"
    "github.com/gruntwork-io/terratest/modules/terraform"
    "github.com/stretchr/testify/assert"
)

func TestTerraformAwsExample(t *testing.T) {
    terraformOptions := &terraform.Options{
        TerraformDir: "../examples/aws",
        Vars: map[string]interface{}{
            "region": "us-west-2",
        },
    }

    defer terraform.Destroy(t, terraformOptions)
    terraform.InitAndApply(t, terraformOptions)
    
    output := terraform.Output(t, terraformOptions, "instance_id")
    assert.NotEmpty(t, output)
}

2. Integration Testing

module "integration_test" {
  source = "./test"
  
  depends_on = [module.main_infrastructure]
  
  vpc_id     = module.main_infrastructure.vpc_id
  subnet_ids = module.main_infrastructure.subnet_ids
}

Additional Resources

Related Topics

PreviousDatabase DevOpsNextCloud Integrations - Provider-specific implementations

Last updated 16 days ago

Store cloud credentials in a NixOS module or use for encrypted secrets:

- Core concepts powering Terraform-based automation

- Practical implementation patterns for AWS resources

- Azure-specific deployment strategies with Terraform

- Google Cloud automation with Terraform

- Ensuring infrastructure reliability with automated tests

- Automating Terraform deployments in pipelines

- Production-ready implementation strategies

- Alternative IaC approach for Azure-specific workloads

- Git-based infrastructure delivery that works with Terraform

🛠️
agenix
Official Terraform Documentation
Terraform Registry
HashiCorp Learn
Terraform Best Practices
Infrastructure as Code Overview
AWS Scenarios
Azure Scenarios
GCP Scenarios
Testing and Validation
CI/CD Integration
Terraform Best Practices
Bicep
GitOps