Terraform, Terraform Cloud and Terraform Registry, and AWS multi-regional deployments (Public + China)

Sharing my experiences and knowledge around Terraform, Terraform Cloud and Terraform Registry while working with AWS deployments into Ireland, North Virginia and China.

Introduction

A little bit about me first, I am a Lead DevOps Engineer specialising in Cloud Native solutions. I primarily work with Kubernetes, however I am not against using solutions such as AWS ECS or AWS Fargate. I am a big fan of solutions offered by AWS cloud provider and I am also a certified solutions architect.

AWS multi-regional deployments

AWS and GCP are the only cloud platforms I worked with, however AWS is my home. I have been using it non-stop for past five years.

Terraform

In general, Terraform AWS provider isn’t yet fully supporting AWS China. For example, VPC Endpoints did cause some issues which meant that I couldn’t use the official VPC module. In simple terms, Terraform doesn’t source correctly the endpoints which are required to have an AWS partition mentioned. So instead of aws commercial partition, there should be a Chinese one, which isaws-cn. Also, there is change in service definition where the endpoint has to use .com.cn instead of .com. I have raised a Github issue to get this resolved and you can find it here -> https://github.com/hashicorp/terraform-provider-aws/issues/17640

Terraform Registry

While deploying things into China, additional problem I faced was Terraform Registry itself. In order to deploy Terraform modules to China, you require a pipeline which is also based in AWS China. This is necessary in order to assume a correct IAM Role which will have relevant permissions to deploy everything. This is again related to the fact that you are no longer using aws partition but rather aws-cn. So here is a surprise for you, using Terraform Registry modules don’t work from China pipeline. To clarify this further here is an example:

# Reference that doesn't work and will fail to download
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "2.77.0"
...
}
# Working reference
module "vpc" {
source = "git@github.com:terraform-aws-modules/terraform-aws-vpc.git?ref=v2.77.0"
...
}

Terraform Cloud

I am using Terraform Cloud to store all terraform states in a place which is isolated from AWS accounts. To my surprise this is the only service that didn’t cause any issues. I have to say that it has proven to be very solid and stable. Perhaps there are not many releases to update it which makes a lot of sense. Note that I am a big fan of simplicity and the way Terraform Cloud is implemented. I am still using a free version of it as I don’t require any paid packaged. I was interested in upgrading to Terraform Business plan, however, after hearing that costs start at £40k a month to have audit logs, SAML integration and some runners, I decided to pass on this fantastic deal lol.

Conclusion

There are a lot of positives in using Terraform, Terraform Registry and Terraform Cloud when they work as expected. In case of deploying to AWS China, this is work in progress but I am confident that at some point everything will be working smoothly.

  • ECS Insights
  • WAFv2
  • SES

Contact

In case you require any support/consultation in a similar type project then please find me on LinkedIn. https://www.linkedin.com/in/marcincuber/

Lead Software/Infrastructure/Devops Engineer and AWS Community Builder