DEV Community: Bartłomiej Danek The latest articles on DEV Community by Bartłomiej Danek (@bard). https://dev.to/bard https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F176145%2Ffcbab39e-a7ce-49dd-8505-b8b8e2146e4e.png DEV Community: Bartłomiej Danek https://dev.to/bard en Terragrunt folder structure and include Bartłomiej Danek Wed, 15 Apr 2026 12:21:09 +0000 https://dev.to/bard/terragrunt-folder-structure-and-include-33d7 https://dev.to/bard/terragrunt-folder-structure-and-include-33d7 <h2> folder structure </h2> <p>Terragrunt projects split config into two layers: a root <code>hcl</code> file with shared settings, and per-unit <code>terragrunt.hcl</code> files that inherit from it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root.hcl environments/ ├── dev/ │ ├── vpc/ │ │ └── terragrunt.hcl │ ├── rds/ │ │ └── terragrunt.hcl │ └── eks/ │ └── terragrunt.hcl └── prod/ ├── vpc/ │ └── terragrunt.hcl ├── rds/ │ └── terragrunt.hcl └── eks/ └── terragrunt.hcl </code></pre> </div> <p>Each leaf <code>terragrunt.hcl</code> is one Terraform unit - its own state file, its own apply.</p> <h2> <code>include</code> - inherit from root </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/prod/vpc/terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"git::https://github.com/org/tf-modules.git//vpc?ref=v1.2.0"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"prod-vpc"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="p">}</span> </code></pre> </div> <h2> root.hcl </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># root.hcl</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">env</span> <span class="p">=</span> <span class="nx">basename</span><span class="p">(</span><span class="nx">dirname</span><span class="p">(</span><span class="nx">get_terragrunt_dir</span><span class="p">()))</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="p">}</span> <span class="nx">remote_state</span> <span class="p">{</span> <span class="nx">backend</span> <span class="p">=</span> <span class="s2">"s3"</span> <span class="nx">config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"my-tf-state"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"${path_relative_to_include()}/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">region</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"terraform-locks"</span> <span class="p">}</span> <span class="nx">generate</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"backend.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">generate</span> <span class="s2">"provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"provider.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="nx">contents</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> provider "aws" { region = "${local.region}" } </span><span class="no">EOF </span><span class="p">}</span> </code></pre> </div> <h2> <code>find_in_parent_folders</code> </h2> <p>Walks up the directory tree until it finds the file - no hardcoded paths needed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">()</span> <span class="c1"># finds root.hcl by default</span> <span class="p">}</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="c1"># explicit name</span> <span class="p">}</span> </code></pre> </div> <p><em>Originally published at <a href="https://bard.sh/posts/terragrunt_folder_structure/" rel="noopener noreferrer">https://bard.sh/posts/terragrunt_folder_structure/</a></em></p> terragrunt terraform hcl Terragrunt remote_state and generate blocks Bartłomiej Danek Wed, 15 Apr 2026 12:19:59 +0000 https://dev.to/bard/terragrunt-remotestate-and-generate-blocks-ejc https://dev.to/bard/terragrunt-remotestate-and-generate-blocks-ejc <h2> <code>remote_state</code> </h2> <p>Defines the backend once in <code>root.hcl</code> - Terragrunt auto-generates the backend config for every unit that includes it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># root.hcl</span> <span class="nx">remote_state</span> <span class="p">{</span> <span class="nx">backend</span> <span class="p">=</span> <span class="s2">"s3"</span> <span class="nx">config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"my-tf-state"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"${path_relative_to_include()}/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"terraform-locks"</span> <span class="p">}</span> <span class="nx">generate</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"backend.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><code>path_relative_to_include()</code> resolves to the path of the calling <code>terragrunt.hcl</code> relative to <code>root.hcl</code> - e.g. <code>environments/prod/vpc</code> - giving each unit a unique state key automatically.</p> <h2> <code>generate</code> block </h2> <p>Writes any file before running Terraform - typically used for <code>provider.tf</code> and <code>backend.tf</code> so they don't need to be duplicated in every module.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">generate</span> <span class="s2">"provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"provider.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="nx">contents</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> provider "aws" { region = "eu-west-1" default_tags { tags = { ManagedBy = "terraform" Environment = "prod" } } } </span><span class="no">EOF </span><span class="p">}</span> </code></pre> </div> <h2> <code>if_exists</code> options </h2> <ul> <li> <code>overwrite_terragrunt</code> - overwrite only if Terragrunt generated the file (safe default)</li> <li> <code>overwrite</code> - always overwrite</li> <li> <code>skip</code> - skip if file exists</li> <li> <code>error</code> - error if file exists</li> </ul> <h2> generating multiple files </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">generate</span> <span class="s2">"versions"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"versions.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="nx">contents</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> terraform { required_version = "&gt;= 1.5" required_providers { aws = { source = "hashicorp/aws" version = "~&gt; 5.0" } } } </span><span class="no">EOF </span><span class="p">}</span> </code></pre> </div> <p><em>Originally published at <a href="https://bard.sh/posts/terragrunt_remote_state/" rel="noopener noreferrer">https://bard.sh/posts/terragrunt_remote_state/</a></em></p> terragrunt terraform hcl What is Terragrunt and why you need it Bartłomiej Danek Wed, 15 Apr 2026 12:19:14 +0000 https://dev.to/bard/what-is-terragrunt-and-why-you-need-it-5hcl https://dev.to/bard/what-is-terragrunt-and-why-you-need-it-5hcl <h2> the multi-env problem </h2> <p>With plain Terraform, managing multiple environments means duplicating config - same modules, different variable files, same backend boilerplate repeated everywhere.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>environments/ ├── dev/ │ ├── main.tf # copy │ ├── variables.tf # copy │ └── backend.tf # copy with different key ├── staging/ │ ├── main.tf # copy │ ├── variables.tf # copy │ └── backend.tf # copy with different key └── prod/ ├── main.tf # copy ├── variables.tf # copy └── backend.tf # copy with different key </code></pre> </div> <p>Any change to the module requires updating all three.</p> <h2> what Terragrunt does </h2> <p>Terragrunt is a thin wrapper around Terraform that adds:</p> <ul> <li>DRY backend config - define once, inherit everywhere</li> <li> <code>dependency</code> blocks - wire modules together without a monolith</li> <li> <code>run-all</code> - apply/plan/destroy across multiple modules in one command</li> <li> <code>generate</code> blocks - auto-generate files (provider configs, backend configs)</li> <li> <code>mock_outputs</code> - unblock <code>plan</code> in CI when dependencies haven't been applied yet</li> </ul> <h2> terraform vs terragrunt </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Terraform</th> <th>Terragrunt</th> </tr> </thead> <tbody> <tr> <td>Backend config</td> <td>per-module</td> <td>inherited from root</td> </tr> <tr> <td>Multi-module apply</td> <td>manual</td> <td><code>run-all</code></td> </tr> <tr> <td>Module wiring</td> <td><code>terraform_remote_state</code></td> <td> <code>dependency</code> block</td> </tr> <tr> <td>DRY config</td> <td>variables only</td> <td>full config inheritance</td> </tr> </tbody> </table></div> <h2> installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>asdf plugin-add terragrunt asdf <span class="nb">install </span>terragrunt 0.67.0 asdf <span class="nb">local </span>terragrunt 0.67.0 </code></pre> </div> <p>or <a href="https://developer.hashicorp.com/terraform/tutorials/automation/terragrunt" rel="noopener noreferrer">developer.hashicorp.com/terraform/tutorials/automation/terragrunt</a></p> <h2> what the structure looks like </h2> <p>Instead of duplicated <code>.tf</code> files, you get one <code>root.hcl</code> and small <code>terragrunt.hcl</code> files per unit that only define what's different:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">root</span><span class="err">.</span><span class="nx">hcl</span> <span class="nx">environments</span><span class="err">/</span> <span class="err">├──</span> <span class="nx">dev</span><span class="err">/</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">vpc</span><span class="err">/</span> <span class="err">│</span> <span class="err">│</span> <span class="err">└──</span> <span class="nx">terragrunt</span><span class="err">.</span><span class="nx">hcl</span> <span class="c1"># 5 lines: include + inputs</span> <span class="err">│</span> <span class="err">├──</span> <span class="nx">rds</span><span class="err">/</span> <span class="err">│</span> <span class="err">│</span> <span class="err">└──</span> <span class="nx">terragrunt</span><span class="err">.</span><span class="nx">hcl</span> <span class="err">│</span> <span class="err">└──</span> <span class="nx">eks</span><span class="err">/</span> <span class="err">│</span> <span class="err">└──</span> <span class="nx">terragrunt</span><span class="err">.</span><span class="nx">hcl</span> <span class="err">└──</span> <span class="nx">prod</span><span class="err">/</span> <span class="err">├──</span> <span class="nx">vpc</span><span class="err">/</span> <span class="err">│</span> <span class="err">└──</span> <span class="nx">terragrunt</span><span class="err">.</span><span class="nx">hcl</span> <span class="err">├──</span> <span class="nx">rds</span><span class="err">/</span> <span class="err">│</span> <span class="err">└──</span> <span class="nx">terragrunt</span><span class="err">.</span><span class="nx">hcl</span> <span class="err">└──</span> <span class="nx">eks</span><span class="err">/</span> <span class="err">└──</span> <span class="nx">terragrunt</span><span class="err">.</span><span class="nx">hcl</span> </code></pre> </div> <p>A typical leaf <code>terragrunt.hcl</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"git::https://github.com/org/tf-modules.git//vpc?ref=v1.2.0"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"prod-vpc"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="p">}</span> </code></pre> </div> <p>The backend, provider, and locking config all come from <code>root.hcl</code> - no repetition.</p> <p>See <a href="//terragrunt_folder_structure.md">folder structure and include</a> for the full <code>root.hcl</code> setup.</p> <p><em>Originally published at <a href="https://bard.sh/posts/what_is_terragrunt/" rel="noopener noreferrer">https://bard.sh/posts/what_is_terragrunt/</a></em></p> terragrunt terraform hcl Terraform data sources Bartłomiej Danek Wed, 15 Apr 2026 12:19:13 +0000 https://dev.to/bard/terraform-data-sources-6a9 https://dev.to/bard/terraform-data-sources-6a9 <h2> data sources </h2> <p>Data sources let you read existing infrastructure without managing it - useful for referencing resources created outside Terraform or in another state file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"tag:Name"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"main"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.1.0/24"</span> <span class="p">}</span> </code></pre> </div> <h2> common data sources </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># latest Amazon Linux 2 AMI</span> <span class="nx">data</span> <span class="s2">"aws_ami"</span> <span class="s2">"amazon_linux"</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">owners</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"amazon"</span><span class="p">]</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"name"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"amzn2-ami-hvm-*-x86_64-gp2"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># current AWS account ID</span> <span class="nx">data</span> <span class="s2">"aws_caller_identity"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="nx">output</span> <span class="s2">"account_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">account_id</span> <span class="p">}</span> <span class="c1"># existing S3 bucket (not managed by this config)</span> <span class="nx">data</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"shared_logs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"my-shared-logs"</span> <span class="p">}</span> </code></pre> </div> <h2> reading from another state file </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"terraform_remote_state"</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">backend</span> <span class="p">=</span> <span class="s2">"s3"</span> <span class="nx">config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"my-tf-state"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"network/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">terraform_remote_state</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">private_subnet_id</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_ami</span><span class="p">.</span><span class="nx">amazon_linux</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h2> data source vs resource </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th><code>resource</code></th> <th><code>data</code></th> </tr> </thead> <tbody> <tr> <td>creates/modifies</td> <td>yes</td> <td>no</td> </tr> <tr> <td>shows in plan</td> <td>yes</td> <td>no</td> </tr> <tr> <td>can destroy</td> <td>yes</td> <td>no</td> </tr> <tr> <td>reads on</td> <td>apply</td> <td>plan + apply</td> </tr> </tbody> </table></div> <p><em>Originally published at <a href="https://bard.sh/posts/terraform_data_sources/" rel="noopener noreferrer">https://bard.sh/posts/terraform_data_sources/</a></em></p> terraform hcl Terragrunt run-all Bartłomiej Danek Wed, 15 Apr 2026 12:18:43 +0000 https://dev.to/bard/terragrunt-run-all-fej https://dev.to/bard/terragrunt-run-all-fej <h2> <code>run-all</code> </h2> <p>Runs a Terraform command across all units in the current directory tree, respecting <code>dependency</code> order.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>environments/prod terragrunt run-all plan terragrunt run-all apply terragrunt run-all destroy <span class="c"># reverse order</span> </code></pre> </div> <h2> dependency-aware ordering </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>environments/prod/ ├── vpc/ ├── rds/ # depends on vpc └── eks/ # depends on vpc </code></pre> </div> <p><code>run-all apply</code> applies <code>vpc</code> first, then <code>rds</code> and <code>eks</code> in parallel.</p> <h2> real CI pipeline </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/deploy.yml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Plan all</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terragrunt run-all plan --terragrunt-non-interactive</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">environments/prod</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Apply all</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terragrunt run-all apply --terragrunt-non-interactive -auto-approve</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">environments/prod</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/main'</span> </code></pre> </div> <p>Detect drift in CI without applying:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># exit code 2 = changes detected, 0 = no changes, 1 = error</span> terragrunt run-all plan <span class="se">\</span> <span class="nt">--terragrunt-non-interactive</span> <span class="se">\</span> <span class="nt">-detailed-exitcode</span> </code></pre> </div> <h2> filtering </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># skip a unit</span> terragrunt run-all apply <span class="nt">--terragrunt-exclude-dir</span> environments/prod/rds <span class="c"># target a single unit and its dependencies</span> terragrunt run-all apply <span class="nt">--terragrunt-include-dir</span> environments/prod/eks </code></pre> </div> <h2> parallelism </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># default is unlimited parallel - cap it if you hit API rate limits</span> terragrunt run-all apply <span class="nt">--terragrunt-parallelism</span> 4 </code></pre> </div> <h2> output </h2> <p>Each unit prefixes its own output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">[environments/prod/vpc] Apply complete! Resources: 12 added. [environments/prod/rds] Apply complete! Resources: 4 added. [environments/prod/eks] Apply complete! Resources: 31 added. </span></code></pre> </div> <p><em>Originally published at <a href="https://bard.sh/posts/terragrunt_run_all/" rel="noopener noreferrer">https://bard.sh/posts/terragrunt_run_all/</a></em></p> terragrunt terraform hcl Terraform S3 backend with state locking Bartłomiej Danek Wed, 15 Apr 2026 12:18:42 +0000 https://dev.to/bard/terraform-s3-backend-with-state-locking-3an2 https://dev.to/bard/terraform-s3-backend-with-state-locking-3an2 <h2> S3 backend with state locking </h2> <p>S3 stores the state file, DynamoDB handles locking - prevents two <code>apply</code> runs from corrupting state simultaneously.</p> <h2> setup </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"my-tf-state"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"prod/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"terraform-locks"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> create the S3 bucket and DynamoDB table </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"tf_state"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"my-tf-state"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket_versioning"</span> <span class="s2">"tf_state"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">tf_state</span><span class="p">.</span><span class="nx">id</span> <span class="nx">versioning_configuration</span> <span class="p">{</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket_server_side_encryption_configuration"</span> <span class="s2">"tf_state"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">tf_state</span><span class="p">.</span><span class="nx">id</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">apply_server_side_encryption_by_default</span> <span class="p">{</span> <span class="nx">sse_algorithm</span> <span class="p">=</span> <span class="s2">"AES256"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_dynamodb_table"</span> <span class="s2">"tf_locks"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"terraform-locks"</span> <span class="nx">billing_mode</span> <span class="p">=</span> <span class="s2">"PAY_PER_REQUEST"</span> <span class="nx">hash_key</span> <span class="p">=</span> <span class="s2">"LockID"</span> <span class="nx">attribute</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"LockID"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"S"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> state locking in action </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>terraform apply Acquiring state lock. This may take a few moments... <span class="c"># if another process holds the lock:</span> Error: Error acquiring the state lock Lock Info: ID: abc-123 Path: prod/terraform.tfstate Operation: OperationTypeApply Who: alice@machine Created: 2024-10-14 12:00:00 </code></pre> </div> <h2> force-unlock (use carefully) </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform force-unlock &lt;lock-id&gt; </code></pre> </div> <h2> per-environment keys </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># dev</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"dev/terraform.tfstate"</span> <span class="p">}</span> <span class="c1"># prod</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"prod/terraform.tfstate"</span> <span class="p">}</span> </code></pre> </div> <p><em>Originally published at <a href="https://bard.sh/posts/terraform_s3_backend/" rel="noopener noreferrer">https://bard.sh/posts/terraform_s3_backend/</a></em></p> terraform hcl aws .terraform.lock.hcl - commit it Bartłomiej Danek Wed, 15 Apr 2026 12:15:18 +0000 https://dev.to/bard/terraformlockhcl-commit-it-egd https://dev.to/bard/terraformlockhcl-commit-it-egd <h2> <code>.terraform.lock.hcl</code> - commit it </h2> <p>Terraform generates this file on <code>terraform init</code> - it pins the exact provider versions and their checksums so every team member and CI run uses the same binaries.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"registry.terraform.io/hashicorp/aws"</span> <span class="p">{</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"5.50.0"</span> <span class="nx">constraints</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="nx">hashes</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"h1:abc123..."</span><span class="p">,</span> <span class="s2">"zh:def456..."</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> what it contains </h2> <ul> <li> <code>version</code> - exact version that was selected</li> <li> <code>constraints</code> - the constraint from <code>required_providers</code> </li> <li> <code>hashes</code> - checksums for each platform (linux, darwin, windows)</li> </ul> <h2> why commit it </h2> <ul> <li>reproducible builds - everyone gets the same provider binary</li> <li>audit trail - version changes are visible in git diff</li> <li>faster CI - Terraform can skip checksum verification with <code>-lockfile=readonly</code> </li> </ul> <h2> updating it </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># upgrade a specific provider</span> terraform init <span class="nt">-upgrade</span> <span class="c"># upgrade all providers</span> terraform init <span class="nt">-upgrade</span> <span class="nt">-reconfigure</span> </code></pre> </div> <h2> CI flag </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># fails if lock file is out of date - use in CI</span> terraform init <span class="nt">-lockfile</span><span class="o">=</span><span class="nb">readonly</span> </code></pre> </div> <p><em>Originally published at <a href="https://bard.sh/posts/terraform_lock_hcl/" rel="noopener noreferrer">https://bard.sh/posts/terraform_lock_hcl/</a></em></p> terraform hcl Terraform and HCP Terraform Bartłomiej Danek Wed, 15 Apr 2026 12:15:17 +0000 https://dev.to/bard/terraform-and-hcp-terraform-pa6 https://dev.to/bard/terraform-and-hcp-terraform-pa6 <h2> what is terraform </h2> <p>Terraform is a CLI tool for building and managing infrastructure as code. You describe what you want, it figures out how to get there.</p> <ul> <li>written in HCL</li> <li>no enforced file structure</li> <li>dependencies between resources are expressed in code</li> <li>API wrapper for AWS, GCP, Azure, Kubernetes, GitHub, and many more</li> <li>immutable infrastructure by default </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="s2">"ami-0c55b159cbfafe1f0"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t3.small"</span> <span class="p">}</span> </code></pre> </div> <h2> CLI </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init <span class="c"># initialize, download providers</span> terraform plan <span class="c"># dry run - shows what will change</span> terraform apply <span class="c"># apply changes</span> terraform destroy <span class="c"># destroy everything</span> terraform validate <span class="c"># validate config files</span> terraform <span class="nb">fmt</span> <span class="c"># auto-format</span> terraform state <span class="c"># inspect and manipulate state</span> terraform output <span class="c"># show outputs</span> terraform console <span class="c"># interactive expression evaluator</span> </code></pre> </div> <h2> topics </h2> <ul> <li><a href="//terraform_s3_backend.md">State, S3 backend and locking</a></li> <li><a href="//terraform.md#variables">Variables, locals, outputs</a></li> <li><a href="//count_vs_for_each.md">count vs for_each</a></li> <li><a href="//hcl_expressions.md">for, if expressions</a></li> <li><a href="//terraform_data_sources.md">Data sources</a></li> <li><a href="//terraform_dynamic_blocks.md">Dynamic blocks</a></li> <li><a href="//terraform_lifecycle.md">Lifecycle rules</a></li> <li><a href="//terraform_lock_hcl.md">.terraform.lock.hcl</a></li> <li><a href="//terraform.md#modules">Modules</a></li> </ul> <h2> variables </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"env"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Deployment environment"</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="p">}</span> <span class="c1"># use it</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">env</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Pass values via <code>terraform.tfvars</code>, <code>-var</code> flag, or <code>TF_VAR_</code> env vars.</p> <h2> locals </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"${var.env}-${var.region}"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"logs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"${local.prefix}-logs"</span> <span class="p">}</span> </code></pre> </div> <h2> outputs </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"instance_ip"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">web</span><span class="p">.</span><span class="nx">public_ip</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"db_password"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_db_instance</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">password</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <h2> modules </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"main"</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="p">}</span> </code></pre> </div> <h2> good practices </h2> <ul> <li>always commit <code>.terraform.lock.hcl</code> </li> <li>use <code>for_each</code> over <code>count</code> for named resources</li> <li>specify exact provider versions: <code>~&gt; 5.50</code> </li> <li>use encrypted remote backend</li> <li> <code>terraform fmt</code> before every commit</li> <li>use <code>moved</code> blocks instead of destroy + recreate</li> <li>avoid <code>null_resource</code> - there is usually a better way</li> </ul> <p><em>Originally published at <a href="https://bard.sh/posts/terraform/" rel="noopener noreferrer">https://bard.sh/posts/terraform/</a></em></p> terraform devops hcl Terraform lifecycle rules Bartłomiej Danek Wed, 15 Apr 2026 12:14:44 +0000 https://dev.to/bard/terraform-lifecycle-rules-4f68 https://dev.to/bard/terraform-lifecycle-rules-4f68 <h2> lifecycle rules </h2> <p><code>lifecycle</code> controls how Terraform creates, updates, and destroys a resource.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"main-db"</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">prevent_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span><span class="nx">password</span><span class="p">,</span> <span class="nx">engine_version</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> <code>create_before_destroy</code> </h2> <p>By default Terraform destroys then creates. With <code>create_before_destroy</code> it creates the replacement first - useful for resources that can't have downtime (load balancers, DNS records, certificates).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_ami</span><span class="p">.</span><span class="nx">latest</span><span class="p">.</span><span class="nx">id</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t3.small"</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> <code>prevent_destroy</code> </h2> <p>Blocks <code>terraform destroy</code> and any plan that would delete the resource. Good for databases and S3 buckets you can't lose.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"critical"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"company-backups"</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">prevent_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># this will error:</span> terraform destroy <span class="c"># Error: Instance cannot be destroyed</span> </code></pre> </div> <h2> <code>ignore_changes</code> </h2> <p>Stops Terraform from overwriting fields that change outside of Terraform - e.g. auto-scaling group sizes, passwords rotated by another tool.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_autoscaling_group"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"app-asg"</span> <span class="nx">desired_capacity</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span><span class="nx">desired_capacity</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Use <code>ignore_changes = all</code> to ignore every attribute - useful for resources fully managed externally.</p> <h2> <code>replace_triggered_by</code> </h2> <p>Force replacement when another resource or attribute changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_ami</span><span class="p">.</span><span class="nx">latest</span><span class="p">.</span><span class="nx">id</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">replace_triggered_by</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><em>Originally published at <a href="https://bard.sh/posts/terraform_lifecycle/" rel="noopener noreferrer">https://bard.sh/posts/terraform_lifecycle/</a></em></p> terraform hcl Nomad Bartłomiej Danek Wed, 15 Apr 2026 12:14:43 +0000 https://dev.to/bard/nomad-2o2g https://dev.to/bard/nomad-2o2g <h2> Nomad </h2> <ul> <li>workload orchestrator (containers, java, vm, windows, binaries)</li> <li>single binary (linux, arm, osx, windows)</li> <li>unified workflow for deployments <ul> <li>zero downtime (blue-green, canary, rolling-release)</li> <li>batch</li> <li>service / system</li> </ul> </li> <li>easily integrates with Consul and Vault</li> <li>plugin system: CSI, CNI</li> <li>uses HCL to define workloads</li> </ul> <h2> installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>asdf plugin-add nomad asdf <span class="nb">install </span>nomad 1.8.0 asdf <span class="nb">local </span>nomad 1.8.0 </code></pre> </div> <p>or <a href="https://developer.hashicorp.com/nomad/downloads" rel="noopener noreferrer">developer.hashicorp.com/nomad/downloads</a></p> <h2> CLI </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nomad run &lt;job&gt; <span class="c"># run/update a job</span> nomad stop &lt;job&gt; <span class="c"># stop a job</span> nomad status <span class="o">[</span>job] <span class="c"># check status</span> nomad agent <span class="nt">-dev</span> <span class="c"># run agent in dev mode</span> nomad <span class="nb">exec</span> &lt;alloc&gt; sh <span class="c"># exec into allocation</span> nomad <span class="nt">-help</span> <span class="c"># global help</span> </code></pre> </div> <h2> architecture </h2> <ul> <li> <strong>Job</strong> - declared workload; defines desired state</li> <li> <strong>Task Group</strong> - set of tasks that must run together</li> <li> <strong>Driver</strong> - tool to run a workload (docker, exec, java...)</li> <li> <strong>Task</strong> - smallest unit of work</li> <li> <strong>Client</strong> - machine where tasks run</li> <li> <strong>Allocation</strong> - mapping of task group to client</li> <li> <strong>Evaluation</strong> - scheduling decision mechanism</li> <li> <strong>Server</strong> - brain of the cluster </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>job \_ group \_ task </code></pre> </div> <h2> job spec </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">job</span> <span class="s2">"api"</span> <span class="p">{</span> <span class="nx">datacenters</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"dc1"</span><span class="p">]</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"service"</span> <span class="nx">update</span> <span class="p">{</span> <span class="nx">max_parallel</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">stagger</span> <span class="p">=</span> <span class="s2">"30s"</span> <span class="p">}</span> <span class="nx">group</span> <span class="s2">"api"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">network</span> <span class="p">{</span> <span class="nx">port</span> <span class="s2">"http"</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">task</span> <span class="s2">"server"</span> <span class="p">{</span> <span class="nx">driver</span> <span class="p">=</span> <span class="s2">"docker"</span> <span class="nx">config</span> <span class="p">{</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"my-org/api:1.2.3"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"http"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resources</span> <span class="p">{</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="mi">500</span> <span class="nx">memory</span> <span class="p">=</span> <span class="mi">256</span> <span class="p">}</span> <span class="nx">service</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"api"</span> <span class="nx">port</span> <span class="p">=</span> <span class="s2">"http"</span> <span class="nx">check</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"http"</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/health"</span> <span class="nx">interval</span> <span class="p">=</span> <span class="s2">"10s"</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="s2">"2s"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> dev mode </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>nomad agent <span class="nt">-dev</span> <span class="c"># UI at http://localhost:4646</span> <span class="c"># do NOT use in production</span> </code></pre> </div> <h2> deployments </h2> <h3> rolling update </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">update</span> <span class="p">{</span> <span class="nx">max_parallel</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">min_healthy_time</span> <span class="p">=</span> <span class="s2">"10s"</span> <span class="nx">healthy_deadline</span> <span class="p">=</span> <span class="s2">"3m"</span> <span class="p">}</span> </code></pre> </div> <h3> canary </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">update</span> <span class="p">{</span> <span class="nx">canary</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">max_parallel</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">auto_promote</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> </code></pre> </div> <p>Promote manually after verifying:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nomad deployment promote &lt;deployment-id&gt; </code></pre> </div> <h3> blue-green </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">update</span> <span class="p">{</span> <span class="nx">canary</span> <span class="p">=</span> <span class="mi">3</span> <span class="c1"># equal to group count</span> <span class="nx">max_parallel</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">auto_promote</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> </code></pre> </div> <h2> plan and apply </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>nomad job plan api.nomad Job Modify Index: 7 To submit with version verification: nomad run <span class="nt">-check-index</span> 7 api.nomad <span class="nv">$ </span>nomad run <span class="nt">-check-index</span> 7 api.nomad </code></pre> </div> <h2> history and revert </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>nomad job <span class="nb">history </span>api Version <span class="o">=</span> 3 Stable <span class="o">=</span> <span class="nb">true </span>Submit Date <span class="o">=</span> ... Version <span class="o">=</span> 2 Stable <span class="o">=</span> <span class="nb">true </span>Submit Date <span class="o">=</span> ... Version <span class="o">=</span> 1 Stable <span class="o">=</span> <span class="nb">false </span>Submit Date <span class="o">=</span> ... <span class="nv">$ </span>nomad job revert api 2 </code></pre> </div> <h2> scheduled batch jobs </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">job</span> <span class="s2">"nightly-report"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"batch"</span> <span class="nx">periodic</span> <span class="p">{</span> <span class="nx">crons</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0 2 * * *"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">group</span> <span class="s2">"report"</span> <span class="p">{</span> <span class="nx">task</span> <span class="s2">"run"</span> <span class="p">{</span> <span class="nx">driver</span> <span class="p">=</span> <span class="s2">"docker"</span> <span class="nx">config</span> <span class="p">{</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"my-org/reporter:latest"</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"/app/report"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>For service discovery and load balancing with Consul - see <a href="//consul_service_discovery.md">Consul service discovery</a>.</p> <p><em>Originally published at <a href="https://bard.sh/posts/nomad_and_consul/" rel="noopener noreferrer">https://bard.sh/posts/nomad_and_consul/</a></em></p> nomad hcl Terraform dynamic blocks Bartłomiej Danek Wed, 15 Apr 2026 12:10:46 +0000 https://dev.to/bard/terraform-dynamic-blocks-5e1c https://dev.to/bard/terraform-dynamic-blocks-5e1c <h2> dynamic blocks </h2> <p><code>dynamic</code> generates repeated nested blocks from a variable - avoids copy-pasting the same block for each item.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"ingress_rules"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">80</span><span class="p">,</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span><span class="p">,</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">443</span><span class="p">,</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span><span class="p">,</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">22</span><span class="p">,</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span><span class="p">,</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="s2">"10.0.0.0/8"</span> <span class="p">},</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"web"</span> <span class="nx">dynamic</span> <span class="s2">"ingress"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ingress_rules</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="nx">ingress</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">port</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="nx">ingress</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">port</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">ingress</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">protocol</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="nx">ingress</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">cidr</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> iterator name </h2> <p>By default the iterator is the block label (<code>ingress</code> above). Override it with <code>iterator</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">dynamic</span> <span class="s2">"ingress"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ingress_rules</span> <span class="nx">iterator</span> <span class="p">=</span> <span class="nx">rule</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">port</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">port</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">protocol</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> conditional block </h2> <p>To make a block optional, pass an empty list or a one-element list:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"enable_logging"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"my-bucket"</span> <span class="nx">dynamic</span> <span class="s2">"logging"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">enable_logging</span> <span class="err">?</span> <span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="err">:</span> <span class="p">[]</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">target_bucket</span> <span class="p">=</span> <span class="s2">"my-logs-bucket"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> nested dynamic blocks </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">dynamic</span> <span class="s2">"rule"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">rules</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">action</span> <span class="p">=</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">action</span> <span class="nx">dynamic</span> <span class="s2">"condition"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">conditions</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">field</span> <span class="p">=</span> <span class="nx">condition</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">field</span> <span class="nx">values</span> <span class="p">=</span> <span class="nx">condition</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">values</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><em>Originally published at <a href="https://bard.sh/posts/terraform_dynamic_blocks/" rel="noopener noreferrer">https://bard.sh/posts/terraform_dynamic_blocks/</a></em></p> terraform hcl for_each over tuple in Terraform Bartłomiej Danek Wed, 15 Apr 2026 12:10:45 +0000 https://dev.to/bard/foreach-over-tuple-in-terraform-2fn9 https://dev.to/bard/foreach-over-tuple-in-terraform-2fn9 <h2> <code>for_each</code> over tuples in terraform </h2> <p>Terraform does not allow to iterate through a tuple with <code>for_each</code>, but you can create one in the fly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">cron_jobs</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"every-15-minutes"</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"rake send:sms:notification"</span> <span class="nx">cron</span> <span class="p">=</span> <span class="s2">"*/15 * * * * *"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"every-30-minutes"</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"rake send:sqs:notification"</span> <span class="nx">cron</span> <span class="p">=</span> <span class="s2">"*/30 * * * * *"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"nomad_job"</span> <span class="s2">"cron_jobs"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">cj</span> <span class="nx">in</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cron_jobs</span> <span class="err">:</span> <span class="nx">cj</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">cj</span> <span class="p">}</span> <span class="nx">jobspec</span> <span class="p">=</span> <span class="nx">templatefile</span><span class="p">(</span><span class="s2">"cron_job.tpl"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">command</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">command</span> <span class="nx">cron</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">cron</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Inside the block, <code>each.key</code> is the map key (<code>cj.name</code>) and <code>each.value</code> is the full object.</p> <h2> <code>for_each</code> over a plain list </h2> <p>For a simple list of strings, convert it to a set first with <code>toset()</code> - this is required because sets have no index.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"buckets"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"logs"</span><span class="p">,</span> <span class="s2">"backups"</span><span class="p">,</span> <span class="s2">"artifacts"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">buckets</span><span class="p">)</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="p">}</span> </code></pre> </div> <p><code>each.key</code> and <code>each.value</code> are identical when iterating a set.</p> <h2> <code>for_each</code> over a map </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"buckets"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">logs</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">backups</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">buckets</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> </code></pre> </div> <p><em>Originally published at <a href="https://bard.sh/posts/for_each/" rel="noopener noreferrer">https://bard.sh/posts/for_each/</a></em></p> terraform hcl