Terraform + config management for many instances

Hi all,

I’m looking for some input/sanity checks about my ideas around integrating terraform to manage our infrastructure which we already configure using configuration management (Ansible for Linux, DSC for Windows).

We host two types of products, one on Linux, the other on Windows, mostly on AWS (that’s our initial Terraform target). Infrastructure-wise, they not complicated: a few VMs in a VPC, default security groups with a few inbound rules, EIPs and an occasional load balancer. I have hacked a quick Terraform config for our Linux infrastructure, it was a lovely learning experience.

We host several independent copies of each of these systems. The Linux one is a cluster, and we host several of these around the world. Windows systems are hosted for each client, and there are dozens of these. From Terraform’s point of view, all differences among instances can be parametrised.

Now, the first issue I’m struggling with is how to handle data/configuration separation for multiple instances, which Terraform does differently from what we’re used to with configuration management systems (Ansible with its clear inventory and playbook/roles separation and DSC with its configuration document and PS modules separation).

I’ve read about different approaches to this that Terraform supports, and I’ve dismissed some of them: having configs for instances on long-lived git branches does not look like a good option, since we’d have many of them. Using local workspaces seems a bit brittle for handling many instances.

The best approach currently seems to be to encapsulate each product’s Terraform configuration into separate Terraform modules (hosted on Terraform registry). After that, we’d create a trivial root module for each instance, with its own set of input variable values, which would call into that product’s module. That way, we can use separate Terraform Cloud workspaces, with a workspace per instance, targeting the appropriate root module directory. I think that would result in minimal Terraform code duplication.

Is there a better approach that might work for us?

The second issue, if we go with that idea is: where to we keep that trivial root module for each instance? Would it make sense to keep it alongside Ansible inventory data for each instance and PowerShell DSC configuration data files, in the same git repo? That way we could have Terraform “push” data/settings into Ansible/DSC configs (or Ansible/DSC configs “pulling” some data from current Terraform state). Are there any gotchas with this approach?

Thank you!