Terraform uses providers to manage cloud infrastructure, which you define in Terraform configuration files. When learning to use Terraform, practitioners focus on resource blocks, which map to infrastructure that Terraform will manage. In addition to resources, Terraform providers can also define data sources. Data sources represent data that Terraform queries from the same cloud provider APIs that it uses to provision resources.
Learn how to use Terraform data sources with our new tutorial on HashiCorp Learn.
After following this guide, I encountered some issues that could be prevented by placing a note or a warning.
There should be a note to make sure to run
terraform destroy with the same flags that were used for
terraform apply e.g.
terraform destroy -var aws_region=us-west-1
The backstory that prompted me to flag this:
I managed to get a small charge on AWS due to the NAT gateways that are defined in the config.
The problem is the shortcomings of the aws provider itself, when it comes to changing regions. As it turns out, it’s a known issue - but I didn’t know this at the time.
Since the tutorial instructs to run
terraform apply -var aws_region=us-west-1 on the VPC workspace while the config file states
us-east-1, the resources are naturally deployed in
us-west-1. But what I didn’t know (as I’m still learning) is that I should actually destroy the resources with the
-var aws_region=us-west-1 flag as well. (Yes, looking back, I see that it’s written in the tutorial, but I don’t copy-paste everything)
For some reason I assumed the
terraform destroy will be based on the state file. But it isn’t, and once ran, it notifies me that all resources will be destroyed and clears the state file - as it should.
Days later I check my AWS billing and I see that I had quite a few hours of NAT gateway usage, that prompted me to investigate, and lo and behold, I had the NAT gateways still running, despite me thinking they have been destroyed days ago. So I check CloudTrail, and there was no API call ever made for the removal of them. It got me thinking what could’ve gone wrong, so I ran a few tests with debug mode and came to the conclusion that is stated in the issue I referenced previously.
I can see how others could come to the mistake of just running
terraform destroy without the flag and racking up some unforeseen charges.
Hence asking you to add a note to the tutorial where the reader is instructed to “Apply this configuration, setting the value of
us-west-1 .” to make sure the
terraform destroy is ran the same way.
The other thing that could be done is to simply get rid of the NAT gateways and private subnets in the configuration and put the app instances into the public subnets. So there would be no charge at all, even if the tutorial is being followed word by word.
I’d like to stress that I don’t blame anyone, but myself for the mistake. I just think that these changes could save some trouble for others