What are suggested alternatives for IaC management...
# general
w
What are suggested alternatives for IaC management with terraform? I am fiddling with
terraform cloud
and VCS integration, but I want to also be able to run terraform locally and still apply changes (with VCS, if possible) I am not sure if
spacelift
supports this, can't find it in the docs.
a
Believe Terraform Cloud doesn't support local
apply
with the remote backend (but does support local
plan
) but tooling such as https://www.runatlantis.io and others will work both remotely and locally, assuming they're both able to access the same remote state (such as S3/GCS)
w
Atlantis is nice. Might be an option, but for the moment I'm looking for a SaaS solution so I don't have to manage one more service. I'm checking `spacelift`today and will check
env0
and
scalr
a
Last time I checked out env0 it used local state which it kept track of itself (for ephemeral environments) but it's been a while admittedly. Haven't had a chance to checkout Spacelift or other alternatives yet, be curious to hear your experiences!
n
spacelift will allow local apply as long as you self host your statefile and use locking
multiple sources of TF applies can be a problem though. Statefile corruption can happen when there's no locking, version skew can cause one side to break, one apply changing state behind the back of a stored plan thus causing application of the stored plan to be non determinititic and leave messed up state, etc...
As a general principal, one of the benefits of using a IaC CD tool is that you can lineraize your applies, reduce perms needed by people and machines, and have a proper history of changes. In larger scale cases this does mean that you end up have to redesign things to be more modular and limited in scope
w
Thanks @Nathan Hruby that is very insightful. Adding a bit more context, I want this requirement for case of emergencies: • Something needs immediate change in the middle of an incident and I want to be able to manually fix it • If the SaaS has an issue/outage I don't want to be blocked by it So it's really for cases of emergencies (or sometimes moving states without having to redeploy when the code architecture changes)
n
My experience has been that in the middle of an incident, it's the manual tweaks that cause more problems. Or, perhaps: Tweak success rate is directly proportionate to the quality of the operator doing the tweak at the time of the work being performed. I try to make IaC pipelines safe, easy, and fast enough that they are simply how changes are made all the time regardless of the situation, rather than having to maintain parallel tooling that can be a distraction.
SaaS outage issue is real concern, and that's a risk you need to understand for your org. I would say that a lot of places overplay this risk. It's fairly minor and in the case where "we can't deploy infra for a an hour" it's not that big of a deal. I often look at it as: if you use GitHub and are homed in us-east-1, then that choice is already made for you, don't worry about it.
s
Check us out at nullstone.io as well. We specialize in allowing full customization of your infrastructure via Terraform. I’d love to know how we stack up for your use case. Your use case isn’t something we have well documented because it is generally looked at as bad practice. However, I certainly can sympathize with not wanting to be stuck with hands tied during an outage. Let me know if you are interested and I’d be happy to walk you through some options.
w
Thanks @Nathan Hruby I'm totally with you. And I enforce quality and code maintainability in a way to avoid that in future scenarios, and although cautious, myself or my team can make mistakes. So to be cautious, I also try to be prepared for mistakes (and for outages that are not our fault by need remediation). So, in general I want a tool that will not tie my hands when I need it most, which is critical situations.
Thanks @Scott Sickles - I will check out the website