One must consider this before deployment using Terraform !!!

We all know that terraform is a great IaC (Infrastructure as code) tool. It helps in deploying and managing our cloud infrastructure with the help of configuration files. Just change your configuration file and your infrastructure is built in a single go!!

However, only deploying resources is not that one should consider. In a production environment, where we run our workloads, we have to take care other important aspects apart from merely deploying the resources. These factor are security, cost, reliability etc.

Hence, in this blog, I am going to throw some light on those aspects.

Use Case

I will take a use case in which I will deploy an EC2 instance using Terraform. Also, I will include 2 tools in this use case. They are-

• Checkov: which is a static code analysis tool for infrastructure-as-code. It detects security and compliance misconfigurations using graph-based scanning.
• Infracost: It shows cloud cost estimates for Terraform. It lets DevOps, SRE and engineers see a cost breakdown and understand costs before making changes, either in the terminal or pull requests.

Don’t worry. No cloud credentials or secrets are sent to the Cloud Pricing API. Infracost does not make any changes to your Terraform state or cloud resources.

Let us first deploy an EC2 instance using Terraform. Follow below steps with me :)

Step 1- Every terraform code starts with a provider block. Below is the AWS terraform provider block. It consists of provider source and version. We also have to declare region. (as seen below)

Resources will be provisioned by Terraform under this region. Give your Access key and Secret Access key.

In a Production environment, never put your keys into your main code.

Step 2- Since every EC2 instance resides in a VPC, hence, VPC and Subnet need to be declared.

Step 3- Create a NIC (Network interface) for EC2 instance.

Step 4- Finally, declare EC2 instance block.

Once, above steps are done, your final code must look like this:

Once your code is ready, run “Terraform init”. This command is used to initialise the working directory containing Terraform configuration files.

Next, run “Terraform plan”. This command creates an execution plan, which lets you preview the changes that Terraform plans to create your infrastructure.

However, before running “Terraform apply” (which is the final provisioning), let us check the security and compliance misconfigurations using Checkov tool.

Checkov Implementation

Installation on Ubuntu 18.04 LTS

Ubuntu 18.04 ships with Python 3.6. Install python 3.7 (from ppa repository)

sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt install python3.7
sudo apt install python3-pip
sudo python3.7 -m pip install -U checkov #to install or upgrade checkov)

Installation on Alpine

pip3 install --upgrade pip && pip3 install --upgrade setuptools
pip3 install checkov

Since I am using Mac, hence below worked for me-

brew install checkov

Configure an input folder or file

I have configured a terraform plan file in json format (tf.json)

terraform init
terraform plan -out tf.plan
terraform show -json tf.plan  > tf.json 
checkov -f tf.json

Once you run “checkov -f tf.json”, you will see the final scan result as below:

(Optional) If you have installed jq you can convert json file into multiple lines with the following command:

terraform show -json tf.plan | jq '.' > tf.json

This way, tf.json will be in a much user friendly format. Hence, scan results will be much easier to read.

Scan Result-

So, this is how we can run checks and apply those checks to our infrastructure, thus meeting the infra compliance.

Now we will move ahead and look into the 2nd tool, which is Infracost. As explained earlier, it shows cloud cost estimates for Terraform.

Infracost Implementation

Installation on MacOS/Linux Manual

curl -fsSL https://raw.githubusercontent.com/infracost/infracost/master/scripts/install.sh | sh

Installation on MacOS using brew

brew install infracost

Once installation is completed and you are able to see the Infracost version (as seen below), follow below steps:-

Steps:

Step 1- Get API Key

Register for a free API key, which is used by the CLI to retrieve prices from our Cloud Pricing API, e.g. get prices for instance types.

infracost register

The key can be retrieved with Infracost configure get api_key

Step 2- Show cost estimate breakdown

Infracost parses the project locally to determine resource types and quantities needed to calculate costs.

The --path flag can point to a Terraform directory or plan JSON file.

infracost breakdown --path . --terraform-parse-hcl

You must get an output like this -

So, it is giving me a cost estimate which is around $9.27

Step 3- Show cost estimate diff

• Generate Infracost JSON file as the baseline:

infracost breakdown --path . --terraform-parse-hcl --format json --out-file infracost-base.json

• Now, we will change the instance type in our terraform code. I changed my instance type to t2.small

After making the change, ran below command-

infracost diff --path . --terraform-parse-hcl --compare-to infracost-base.json

Got output-

As per above output, cost is increase by $8.32 (90% increase in cost).

Hence, final cost for t2.small instance type is $17.59

Step 4- Add to your CI/CD (Optional)

This cost estimation can also be added to your CI/CD pipelines. This provides your team with a safety net as people can discuss costs as part of the workflow.

To summarise, we have deployed resources using Terraform.
However, before deployment, we have taken care of the compliance and security misconfigurations using Checkov as well as the cost estimates of the resources using Infracost tool.

Incorporating these tools into your own infrastructure can be a great deal.

Try it !!!

Till then good bye :)