Terraform: state management for multi-tenancy

Question

As we\'re in progress of evaluating Terraform to replace (partially) our Ansible provisioning process for a multi-tenancy SaaS, we realize the convenience, performance and r

Answer 1

Your suggested approach sounds right to me, but there are few more things which you may consider doing.

Keep original Terraform templates (_template in the tree below) as versioned artifact (git repo, for eg) and just pass key-values properties to be able to recreate your infrastructure. This way you will have very small amount of copy pasted Terraform configuration code laying around in directories.

This is how it looks:

/tf-infra
├── _global
│   └── global
│       ├── README.md
│       ├── main.tf
│       ├── outputs.tf
│       ├── terraform.tfvars
│       └── variables.tf
└── staging
    └── eu-west-1
        ├── saas
        │   ├── _template
        │   │   └── dynamic.tf.tpl
        │   ├── customer1
        │   │   ├── auto-generated.tf
        │   │   └── terraform.tfvars
        │   ├── customer2
        │   │   ├── auto-generated.tf
        │   │   └── terraform.tfvars
...

Two helper scripts are needed:

1. Template rendering. Use either sed to generate module's source attribute or use more powerful tool (as for example it is done in airbnb/streamalert )

2. Wrapper script. Run terraform -var-file=... is usually enough.

Shared terraform state files as well resources which should be global (directory _global above) can be stored on S3, so that other layers can access them.

PS: I am very much open for comments on the proposed solution, because this is an interesting task to work on :)