Terraform Strategy for Updating Existing Resource

Hi HashiCorp Team,

I am planning to modify my existing infra and want to add a missing interface endpoint to my AWS VPC. However, the catch is that I have 170+ VPC in different AWS account and I need to perform this task to all the VPC respective of account. Also, my change management does need manual approval. Is there a way to achieve this task without interrupting the day to day activity? I am looking for a futuristic solution that will be helpful in the long-term implementation process. Any suggestions/solutions will be appreciated.

Are you using Terraform already for the management of your VPCs?

Yes, I am already using terraform for the VPC creation and all those VCP created via terraform script only. But each VCP does have a separate workspace and separate state file.

Hi @pradeepta.pramanik

Can you use a VPC data source to access all the VPCs, like this?

A module to find VPCs

data "aws_vpc" "default" {
  filter {
    name   = "tag:Name"
    values = [var.name]
  }
}

Use the module (maybe you will need a loop)

module "aws_network_vpc" {
  source  = "../modules/aws/data/network/vpc"
  name    = var.base_net["aws_network_vpc_name"]
}
output "aws_network_vpc" {value = module.aws_network_vpc.id}

Use the module.aws_network_vpc.id result to create the missing interface endpoints in each VPC.

I call this approach a layered Terraform infrastructure, where each “terraform workspace/code” creates some resources on top of existing resources that are found using data sources.

Your existing “terraform workspace/code” will probably not see / fail or be affected by the newly created interface endpoints as they only see what they created.

What do you think?

So you just need to edit your Terraform code to make the interface endpoint you are wanting and then apply those changes. Yes it can take a little while if you have to run terraform apply 170 times (assuming you are running it manually rather than using a CI/CD system), especially if you are having to go through a manual change management process for each, but that isn’t really something that is unique to Terraform - it would be just as slow (or slower) to make those changes via the AWS CLI or Console.